farp Plugin
Purpose
The farp plugin for libcharon fakes ARP responses for requests to e.g.
a virtual IP address to be assigned to a peer.
The plugin is disabled by default and can be enabled with the
./configure option
--enable-farp
Behavior
With the plugin enabled the IKEv2 daemon responds to ARP requests for IP
addresses in the remote traffic selectors (e.g. virtual IP
addresses that were handed out to clients but could be complete subnets)
with its own MAC address.
In combination with the dhcp plugin this plugin lets a
road-warrior fully act as a client on the local LAN of the responder.
Limitations
Since strongSwan version 5.9.2 the plugin also works on Mac OSX and FreeBSD.
That wasn’t the case for previous versions due to the implementation relying on
AF/PF_PACKET sockets only. If you use such a version or don’t have the plugin
available for other reasons, ARP proxying for virtual IP
addresses an be achieved via the arp(8) utility and an
updown script, e.g.
case $PLUTO_VERB in
up-client)
arp -s ${PLUTO_PEER_SOURCEIP4_1} auto pub
;;
down-client)
arp -d ${PLUTO_PEER_SOURCEIP4_1} pub
;;
esac