From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, FREEMAIL_REPLYTO_END_DIGIT,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 151A0C43381 for ; Fri, 15 Feb 2019 10:17:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A9C4821B1A for ; Fri, 15 Feb 2019 10:17:16 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b="K2Lq+OSI" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388082AbfBOKRP (ORCPT ); Fri, 15 Feb 2019 05:17:15 -0500 Received: from forward106o.mail.yandex.net ([37.140.190.187]:39959 "EHLO forward106o.mail.yandex.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726202AbfBOKRP (ORCPT ); Fri, 15 Feb 2019 05:17:15 -0500 X-Greylist: delayed 384 seconds by postgrey-1.27 at vger.kernel.org; Fri, 15 Feb 2019 05:17:14 EST Received: from mxback15j.mail.yandex.net (mxback15j.mail.yandex.net [IPv6:2a02:6b8:0:1619::91]) by forward106o.mail.yandex.net (Yandex) with ESMTP id 05F3B5060597 for ; Fri, 15 Feb 2019 13:10:48 +0300 (MSK) Received: from smtp4o.mail.yandex.net (smtp4o.mail.yandex.net [2a02:6b8:0:1a2d::28]) by mxback15j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id ekb24dUCqs-AlQe29Ck; Fri, 15 Feb 2019 13:10:47 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1550225447; bh=pN6qmRbGC/WFH0dR/cC/HV3GAFdzU8n6v5LFtfxSGwg=; h=Date:From:To:Subject:Message-ID:Reply-To; b=K2Lq+OSIfZQ+Eqzl+mD0EYanUCGw4bQR7+Vx9pSDamnAYLrQaYrN82V8DrQ8qN42j Y6BNkOgO8xYmKHr62YN3hzb1Ef6ti6P1IKfvRSbaOZ3GKFaind+FiwwWw7ooNp479m fWfO1DGsTdxBo9IhHDZ1EcaRaoXoD/0Iwh+F3Q3E= Authentication-Results: mxback15j.mail.yandex.net; dkim=pass header.i=@yandex.ru Received: by smtp4o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id zw3OLEIQit-AlOmjvQw; Fri, 15 Feb 2019 13:10:47 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) Date: Fri, 15 Feb 2019 13:11:59 +0300 From: Oleg To: netdev@vger.kernel.org Subject: ip xfrm policy, dir out vs dir fwd Message-ID: <20190215101158.GA6926@legohost> Reply-To: Oleg MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.11.2 (2019-01-07) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Hi, all. I don't understand why i need to create dir out policy for transit ipsec traffic? For example(conf from 192.168.77.1; it acts as a gateway between world and private network behind 192.168.77.35): ip xfrm policy add src 192.168.77.35 dst 0.0.0.0/0 dir fwd tmpl src 192.168.77.35 dst 192.168.77.1 proto esp reqid 1 mode tunnel ip xfrm policy add src 0.0.0.0/0 dst 192.168.77.35 dir fwd tmpl src 192.168.77.1 dst 192.168.77.35 proto esp reqid 2 mode tunnel doesn't work. But: ip xfrm policy add src 192.168.77.35 dst 0.0.0.0/0 dir fwd tmpl src 192.168.77.35 dst 192.168.77.1 proto esp reqid 1 mode tunnel ip xfrm policy add src 0.0.0.0/0 dst 192.168.77.35 dir out tmpl src 192.168.77.1 dst 192.168.77.35 proto esp reqid 2 mode tunnel works well. May be anybody can help me with this? Thanks! -- Олег Неманов (Oleg Nemanov)