From: Steffen Klassert <steffen.klassert@secunet.com>
To: Lemon Lam <almk@rmntn.net>
Cc: <herbert@gondor.apana.org.au>, <davem@davemloft.net>,
<netdev@vger.kernel.org>
Subject: Re: PROBLEM: xfrm: XFRMINSTATEMODEERROR for transport mode IPsec SA when IP VTI is active
Date: Fri, 4 Jan 2019 07:22:02 +0100 [thread overview]
Message-ID: <20190104062202.GC3581@gauss3.secunet.de> (raw)
In-Reply-To: <9223b7dec124ef0089e0cc0ab04cd711@rmntn.net>
On Sat, Dec 22, 2018 at 06:38:57PM +0800, Lemon Lam wrote:
> Thanks Steffen, but I don't think it is the case.
>
> I shut down VTI interface toward another VPS and GRE on top of it,
> enabled the plain GRE for transport SA. It works on one end, but not for
> the other end which has to leave VTI with `remote any` up. How can the
> transport SA match this `remote any` VTI?
You did not show your SADB, so I can't tell exactly if this is the
case. On the receive side, we do a VTI tunnel lookup first. If
the received packet matches the tunnel endpoints of a VTI, we
take the key from the VTI and do a SA lookup. The packet must match
a tunnel mode SA and the xfrm mark of that SA must match the key
we got from the VTI. If there is no such SA, the packet is dropped.
In your case, with a `remote any` VTI, only the local VTI tunnel
endpoint must match the src address of the received packet to match
the VTI. If that's the case, you need a tunnel mode SA as described
above.
prev parent reply other threads:[~2019-01-04 6:22 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-15 11:02 PROBLEM: xfrm: XFRMINSTATEMODEERROR for transport mode IPsec SA when IP VTI is active Lemon Lam
2018-12-21 8:38 ` Steffen Klassert
2018-12-22 10:38 ` Lemon Lam
2019-01-04 6:22 ` Steffen Klassert [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190104062202.GC3581@gauss3.secunet.de \
--to=steffen.klassert@secunet.com \
--cc=almk@rmntn.net \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).