ip xfrm policy, dir out vs dir fwd

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* ip xfrm policy, dir out vs dir fwd
@ 2019-02-15 10:11 Oleg
  0 siblings, 0 replies; only message in thread
From: Oleg @ 2019-02-15 10:11 UTC (permalink / raw)
  To: netdev

  Hi, all.

I don't understand why i need to create dir out policy for transit
ipsec traffic?

For example(conf from 192.168.77.1; it acts as a gateway between world and
private network behind 192.168.77.35):

ip xfrm policy add src 192.168.77.35 dst 0.0.0.0/0 dir fwd tmpl src 192.168.77.35 dst 192.168.77.1 proto esp reqid 1 mode tunnel
ip xfrm policy add src 0.0.0.0/0 dst 192.168.77.35 dir fwd tmpl src 192.168.77.1 dst 192.168.77.35 proto esp reqid 2 mode tunnel

doesn't work. But:

ip xfrm policy add src 192.168.77.35 dst 0.0.0.0/0 dir fwd tmpl src 192.168.77.35 dst 192.168.77.1 proto esp reqid 1 mode tunnel
ip xfrm policy add src 0.0.0.0/0 dst 192.168.77.35 dir out tmpl src 192.168.77.1 dst 192.168.77.35 proto esp reqid 2 mode tunnel

works well.

May be anybody can help me with this?

Thanks!

-- 
Олег Неманов (Oleg Nemanov)

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2019-02-15 10:17 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-02-15 10:11 ip xfrm policy, dir out vs dir fwd Oleg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).