ip xfrm policy semantics

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Timo Teräs

Date: Friday, January 9, 2009 - 7:16 am

Hi,

I'm trying to setup a vpnc gateway device that is a part of Cisco DMVPN and also
generic NAT gateway to Internet.

The DMVPN part is achieved by a gre tunnel, which is protected by IPsec xfrm
policy.

So I want to encrypt all GRE traffic that is to/from the local box, thus I have:
src 0.0.0.0/0 dst 0.0.0.0/0 proto gre 
	dir in priority 2147483648 ptype main 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 0.0.0.0/0 dst 0.0.0.0/0 proto gre 
	dir out priority 2147483648 ptype main 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport

Which works perfect for the DMVPN part.

Now, I have a second device behind a subnet, that wants to talk to Internet
using PPTP (which ends up sending GRE packets). So what I want is that locally
generated / received packages should be protected by the ipsec policy. But
forwarded GRE packets (that are masqueraded) should not get any xfrm treatment.

It looks like that if xfrm out policy still affects the forwarded packets.
If I add an overriding policy for the PPTP server, things seem to work
better. But I'd rather not do that as it's a bit hacky.

I was not able to find any authoritative place how netfilter and xfrm policies
and routing interact. The only thing I found was [1], but that seems to be
inaccurate. Anyone care to shed light on this part?

Thanks,
  Timo

[1] http://www.strongswan.org/docs/netfilter.pdf

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

ip xfrm policy semantics, Timo Teräs, (Fri Jan 9, 7:16 am)

Re: ip xfrm policy semantics, Timo Teräs, (Fri Jan 9, 10:09 am)

Re: ip xfrm policy semantics, Timo Teräs, (Fri Jan 9, 12:21 pm)


linux-kernel:
Greg Kroah-Hartman	[PATCH 041/196] kobject: add kobject_init_and_add function
Lukas Hejtmanek	Re: Another libata error related to OCZ SSD
Greg Kroah-Hartman	[PATCH 023/196] MCP_UCB1200: Convert from class_device to device
Florian Fainelli	Re: System clock runs too fast after 2.6.27 -> 2.6.28.1 upgrade
Christoph Lameter	[patch 1/4] mmu_notifier: Core code
git:
Johannes Schindelin	Re: [PATCH 1/2] Add strbuf_initf()
John Bito	[EGIT] Push to GitHub caused corruption
Jakub Narebski	Re: [PATCH 0/2] gitweb: patch view
Junio C Hamano	Re: [PATCH] When a remote is added but not fetched, tell the user.
Andy Parkins	Re: [RFC] Submodules in GIT
git-commits-head:
Linux Kernel Mailing List	ahci: Workaround HW bug for SB600/700 SATA controller PMP support
Linux Kernel Mailing List	V4L/DVB (11086): au0828: rename macro for currently non-function VBI support
Linux Kernel Mailing List	ceph: client types
Linux Kernel Mailing List	ceph: on-wire types
Linux Kernel Mailing List	crypto: chainiv - Use kcrypto_wq instead of keventd_wq
linux-netdev:
Andrew Morton	Re: [Bugme-new] [Bug 14969] New: b44: WOL does not work in suspended state
Giuseppe CAVALLARO	Re: [PATCH 03/13] stmmac: add the new Header file for stmmac platform data
Taku Izumi	[PATCH 3/3] ixgbe: add registers etc. printout code just before resetting adapters
Eric Dumazet	rps: some comments
Thomas Gleixner	Re: [RFC PATCH 02/12] On Tue, 23 Sep 2008, David Miller wrote:
openbsd-misc:
Stephan Andreas	problems with login after xlock in OpenBSD release 4.7
pmc	Make A Change. Alcoholism and Drug Addiction Treatment
ropers	Re: what exactly is enc0?
Fuad NAHDI	Re: What does your environment look like?
Matthew Szudzik	Typo on OpenBSD 4.4 CD Set