NBMA GRE over IPsec behind NAT

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Timo Teräs" <timo.teras@iki.fi>
To: netdev@vger.kernel.org
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
	Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Subject: NBMA GRE over IPsec behind NAT
Date: Thu, 25 Sep 2008 10:51:32 +0300	[thread overview]
Message-ID: <48DB4304.4050801@iki.fi> (raw)

I've been working on OpenNHRP (http://opennhrp.sf.net) to get Cisco DMVPN
support for Linux boxes. Basically it is NBMA GRE over IPsec. And the GRE
level private IP-public IP mapping is done via NHRP protocol. OpenNHRP does
this by talking to kernel neighbor cache.

I haven't still bumped into this problem (and probably won't for a while),
but it'd be good to solve it anyway. The problem is that, if I have multiple
IPsec nodes behind same NAT box, that is both have same public-ip, but
different NAT original address, the NHRP private ip to public ip mapping is
not enough. Since NHRP knows the NAT-OA it could indicate that back to kernel
to the neighbor cache. ip_gre could then pass that information to xfrm layer
which could using that decide the correct IPsec SA to use.

Now trying to figure out how this should be done. Maybe a new attribute to
neighbor cache message? Or give both IP addresses in the NDA_LLADDR
attribute? And how could ip_gre pass that info to xfrm? Or maybe IP gre
would not have to be touched, just make xfrm get the extra info from
neighbor cache?

Thanks,
  Timo

next             reply	other threads:[~2008-09-25  7:51 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-25  7:51 Timo Teräs [this message]
  -- strict thread matches above, loose matches on Subject: below --
2009-01-21  9:14 NBMA GRE over IPsec behind NAT Timo Teräs

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48DB4304.4050801@iki.fi \
    --to=timo.teras@iki.fi \
    --cc=herbert@gondor.apana.org.au \
    --cc=kuznet@ms2.inr.ac.ru \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).