From: jamal <hadi@cyberus.ca>
To: Wolfgang Walter <wolfgang.walter@studentenwerk.mhn.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>, netdev@oss.sgi.com
Subject: Re: Problem with IPSEC tunnel mode
Date: Fri, 22 Apr 2005 08:14:44 -0400 [thread overview]
Message-ID: <1114172084.7679.15.camel@localhost.localdomain> (raw)
In-Reply-To: <200504221342.10675.wolfgang.walter@studentenwerk.mhn.de>
[-- Attachment #1: Type: text/plain, Size: 1807 bytes --]
On Fri, 2005-22-04 at 13:42 +0200, Wolfgang Walter wrote:
> Am Freitag, 22. April 2005 02:18 schrieb jamal:
[..]
> > So i was wondering whether they OUT shouldnt be just a duplicate of
> > FWD (instead FWD seems to be the dup of IN). Look at that sample i
> > posted - all his policies look like that. What gives? Why are the IN and
> > FWD exactly the same? bug in racoon/setkey?
> No. XFRM_POLICY_IN is only checked for incoming packets which are delivered
> locally.
>
For encrypted packets
> XFRM_POLICY_FWD is checked for incoming packets which are routed.
>
For non-encrypted packets to be forwarded.
> That our XFRM_POLICY_IN matches XFRM_POLICY_FWD is more for convenience: if a
> subnet is connected directly to a router we want to treat the interface
> address of the router itself the same way. Instead of constructing special
> rules which exactly match the interface address we simply use the same rule
> as for forwarding.
>
Ok, so it was design intent then.
> XFRM_POLICY_OUT ist checked for every outgoing packet, be it locally generated
> be it routed (which is different from netfilter).
>
> This asymmetry is a little bit inconsequent. Probably one should really have
> XFRM_POLICY_FWD_IN and XFRM_POLICY_FWD_OUT. But XFRM_POLICY_OUT would mainly
> be a copy of XFRM_POLICY_FWD_OUT then, I think.
>
I did notice racoon or even setkey (version 0.5) for some rules (need to investigate)
would install two policy rules when i installed only one i.e racoon will install
one in OUT and other in FWD direction.
Example script and setkey -DP output attached. In this case i install
two rules, but for one of them an extra rule is installed. Actually the
pattern is quiet repeatable as you add more rules. This may also be what
is happening to you maybe?
cheers,
jamal
[-- Attachment #2: sample.conf --]
[-- Type: text/plain, Size: 305 bytes --]
#!/usr/sbin/setkey -f
# Flush the SAD and SPD
flush;
spdflush;
spdadd 192.168.3.10 192.168.2.100 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.2.100 192.168.3.10 any -P in ipsec
esp/transport//require
ah/transport//require;
[-- Attachment #3: setkey_output --]
[-- Type: text/plain, Size: 681 bytes --]
192.168.2.100[any] 192.168.3.10[any] any
in ipsec
esp/transport//require
ah/transport//require
created: Apr 22 08:06:28 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=8 seq=2 pid=8236
refcnt=1
192.168.3.10[any] 192.168.2.100[any] any
out ipsec
esp/transport//require
ah/transport//require
created: Apr 22 08:06:28 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1 seq=1 pid=8236
refcnt=1
192.168.2.100[any] 192.168.3.10[any] any
fwd ipsec
esp/transport//require
ah/transport//require
created: Apr 22 08:06:28 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=18 seq=0 pid=8236
refcnt=1
next prev parent reply other threads:[~2005-04-22 12:14 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-20 15:37 Problem with IPSEC tunnel mode Wolfgang Walter
2005-04-21 12:57 ` Herbert Xu
2005-04-21 14:40 ` Wolfgang Walter
2005-04-21 21:46 ` Herbert Xu
2005-04-21 23:50 ` jamal
2005-04-21 23:58 ` Herbert Xu
2005-04-22 0:13 ` Patrick McHardy
2005-04-22 0:18 ` jamal
2005-04-22 0:54 ` Herbert Xu
2005-04-22 11:42 ` Wolfgang Walter
2005-04-22 12:14 ` jamal [this message]
2005-04-22 13:22 ` Wolfgang Walter
2005-04-22 13:27 ` Herbert Xu
2005-04-22 13:48 ` Wolfgang Walter
2005-04-22 13:53 ` Herbert Xu
2005-04-23 17:49 ` jamal
2005-04-23 17:52 ` David S. Miller
2005-04-23 21:03 ` Wolfgang Walter
2005-04-24 22:08 ` jamal
2005-04-22 0:40 ` Wolfgang Walter
2005-04-22 1:04 ` Herbert Xu
2005-04-22 9:37 ` Wolfgang Walter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1114172084.7679.15.camel@localhost.localdomain \
--to=hadi@cyberus.ca \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@oss.sgi.com \
--cc=wolfgang.walter@studentenwerk.mhn.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).