<div dir="ltr"><div>Hi Thomas/Users,</div><div><br></div><div>Thanks for your reply.  I am trying to get the forwarded packets to be <span class="" id=":p2.1" tabindex="-1">ipsec</span> protected, where lan1 is forwarding packets to net1 interface, both these interfaces are on the same linux vm. What rules should i add to get the packets forwarded from on interface to the other.  I see packets on lan1 interface, but the same are not forwarded to vnet1. I am expecting the forwarded packets to be protected when leaving the net1 interface. When the <span class="" id=":p2.4" tabindex="-1">ipsec</span> policies are not present i see that the packets are get forwarded.</div><div>Below are the <span class="" id=":p2.5" tabindex="-1">ipsec</span> policies present in my <span class="" id=":p2.6" tabindex="-1">vm</span>. </div><div><br></div><div><div>root@<span class="" id=":p2.7" tabindex="-1">ubuntu</span>:/etc# <span class="" id=":p2.8" tabindex="-1">ifconfig</span></div><div>lo        Link <span class="" id=":p2.9" tabindex="-1">encap</span>:Local <span class="" id=":p2.10" tabindex="-1">Loopback</span>  </div><div>          <span class="" id=":p2.11" tabindex="-1">inet</span> <span class="" id=":p2.12" tabindex="-1">addr</span>:127.0.0.1  Mask:255.0.0.0</div><div>          inet6 <span class="" id=":p2.13" tabindex="-1">addr</span>: ::1/128 Scope:Host</div><div>          UP <span class="" id=":p2.14" tabindex="-1">LOOPBACK</span> RUNNING  <span class="" id=":p2.15" tabindex="-1">MTU</span>:65536  Metric:1</div><div>          RX packets:0 errors:0 dropped:0 overruns:0 frame:0</div><div>          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0</div><div>          collisions:0 <span class="" id=":p2.16" tabindex="-1">txqueuelen</span>:0 </div><div>          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)</div><div><br></div><div>lan1     Link <span class="" id=":p2.17" tabindex="-1">encap</span>:Ethernet  <span class="" id=":p2.18" tabindex="-1">HWaddr</span> d2:c8:d9:72:30:18  </div><div>          <span class="" id=":p2.19" tabindex="-1">inet</span> <span class="" id=":p2.20" tabindex="-1">addr</span>:1.1.1.2  <span class="" id=":p2.21" tabindex="-1">Bcast</span>:1.1.1.255  Mask:255.255.255.0</div><div>          inet6 <span class="" id=":p2.22" tabindex="-1">addr</span>: fe80::d0c8:d9ff:fe72:3018/64 Scope:Link</div><div>          UP BROADCAST RUNNING <span class="" id=":p2.23" tabindex="-1">MULTICAST</span>  <span class="" id=":p2.24" tabindex="-1">MTU</span>:1500  Metric:1</div><div>          RX packets:7497 errors:0 dropped:0 overruns:0 frame:0</div><div>          TX packets:1667 errors:0 dropped:0 overruns:0 carrier:0</div><div>          collisions:0 <span class="" id=":p2.25" tabindex="-1">txqueuelen</span>:1000 </div><div>          RX bytes:667371 (667.3 KB)  TX bytes:159674 (159.6 KB)</div><div><br></div><div>net1     Link <span class="" id=":p2.26" tabindex="-1">encap</span>:Ethernet  <span class="" id=":p2.27" tabindex="-1">HWaddr</span> 4a:05:8e:91:83:ad  </div><div>          <span class="" id=":p2.28" tabindex="-1">inet</span> <span class="" id=":p2.29" tabindex="-1">addr</span>:10.8.13.2  <span class="" id=":p2.30" tabindex="-1">Bcast</span>:10.8.13.255  Mask:255.255.255.0</div><div>          inet6 <span class="" id=":p2.31" tabindex="-1">addr</span>: fe80::4805:8eff:fe91:83ad/64 Scope:Link</div><div>          UP BROADCAST RUNNING <span class="" id=":p2.32" tabindex="-1">MULTICAST</span>  <span class="" id=":p2.33" tabindex="-1">MTU</span>:1500  Metric:1</div><div>          RX packets:2554 errors:0 dropped:0 overruns:0 frame:0</div><div>          TX packets:4599 errors:0 dropped:0 overruns:0 carrier:0</div><div>          collisions:0 <span class="" id=":p2.34" tabindex="-1">txqueuelen</span>:1000 </div><div>          RX bytes:254035 (254.0 KB)  TX bytes:560363 (560.3 KB)</div></div><div><br></div><div><div>root@<span class="" id=":p2.35" tabindex="-1">ubuntu</span>:/home/<span class="" id=":p2.36" tabindex="-1">naveen</span>/working/<span class="" id=":p2.37" tabindex="-1">strongswan</span>-5.3.5# <span class="" id=":p2.38" tabindex="-1">ip</span> <span class="" id=":p2.39" tabindex="-1">xfrm</span> p </div><div><span class="" id=":p2.40" tabindex="-1">src</span> <a href="http://1.1.1.1/32">1.1.1.1/32</a> <span class="" id=":p2.41" tabindex="-1">dst</span> <a href="http://8.8.8.8/32">8.8.8.8/32</a> </div><div><span class="" style="white-space:pre">        </span><span class="" id=":p2.42" tabindex="-1">dir</span> in priority 0 </div><div><span class="" id=":p2.43" tabindex="-1">src</span> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <span class="" id=":p2.44" tabindex="-1">dst</span> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div><span class="" style="white-space:pre">    </span><span class="" id=":p2.45" tabindex="-1">dir</span> fwd priority 3075 </div><div><span class="" style="white-space:pre">  </span><span class="" id=":p2.46" tabindex="-1">tmpl</span> <span class="" id=":p2.47" tabindex="-1">src</span> 199.168.148.132 <span class="" id=":p2.48" tabindex="-1">dst</span> 10.8.13.2</div><div><span class="" style="white-space:pre">               </span><span class="" id=":p2.49" tabindex="-1">proto</span> esp <span class="" id=":p2.50" tabindex="-1">reqid</span> 1 mode tunnel</div><div><span class="" id=":p2.51" tabindex="-1">src</span> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <span class="" id=":p2.52" tabindex="-1">dst</span> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div><span class="" style="white-space:pre">        </span><span class="" id=":p2.53" tabindex="-1">dir</span> in priority 3075 </div><div><span class="" style="white-space:pre">   </span><span class="" id=":p2.54" tabindex="-1">tmpl</span> <span class="" id=":p2.55" tabindex="-1">src</span> 199.168.148.132 <span class="" id=":p2.56" tabindex="-1">dst</span> 10.8.13.2</div><div><span class="" style="white-space:pre">               </span><span class="" id=":p2.57" tabindex="-1">proto</span> esp <span class="" id=":p2.58" tabindex="-1">reqid</span> 1 mode tunnel</div><div><span class="" id=":p2.59" tabindex="-1">src</span> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <span class="" id=":p2.60" tabindex="-1">dst</span> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div><span class="" style="white-space:pre">        </span><span class="" id=":p2.61" tabindex="-1">dir</span> out priority 3075 </div><div><span class="" style="white-space:pre">  </span><span class="" id=":p2.62" tabindex="-1">tmpl</span> <span class="" id=":p2.63" tabindex="-1">src</span> 10.8.13.2 <span class="" id=":p2.64" tabindex="-1">dst</span> 199.168.148.132</div><div><span class="" style="white-space:pre">               </span><span class="" id=":p2.65" tabindex="-1">proto</span> esp <span class="" id=":p2.66" tabindex="-1">reqid</span> 1 mode tunnel</div><div><span class="" id=":p2.67" tabindex="-1">src</span> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <span class="" id=":p2.68" tabindex="-1">dst</span> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div><span class="" style="white-space:pre">        </span>socket in priority 0 </div><div><span class="" id=":p2.69" tabindex="-1">src</span> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <span class="" id=":p2.70" tabindex="-1">dst</span> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div><span class="" style="white-space:pre">   </span>socket out priority 0 </div><div><span class="" id=":p2.71" tabindex="-1">src</span> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <span class="" id=":p2.72" tabindex="-1">dst</span> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div><span class="" style="white-space:pre">  </span>socket in priority 0 </div><div><span class="" id=":p2.73" tabindex="-1">src</span> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <span class="" id=":p2.74" tabindex="-1">dst</span> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div><span class="" style="white-space:pre">   </span>socket out priority 0 </div><div><span class="" id=":p2.75" tabindex="-1">src</span> ::/0 <span class="" id=":p2.76" tabindex="-1">dst</span> ::/0 </div><div><span class="" style="white-space:pre">      </span>socket in priority 0 </div><div><span class="" id=":p2.77" tabindex="-1">src</span> ::/0 <span class="" id=":p2.78" tabindex="-1">dst</span> ::/0 </div><div><span class="" style="white-space:pre">       </span>socket out priority 0 </div><div><span class="" id=":p2.79" tabindex="-1">src</span> ::/0 <span class="" id=":p2.80" tabindex="-1">dst</span> ::/0 </div><div><span class="" style="white-space:pre">      </span>socket in priority 0 </div><div><span class="" id=":p2.81" tabindex="-1">src</span> ::/0 <span class="" id=":p2.82" tabindex="-1">dst</span> ::/0 </div><div><span class="" style="white-space:pre">       </span>socket out priority 0</div></div><div><br></div><div><div>root@<span class="" id=":p2.83" tabindex="-1">ubuntu</span>:/etc# <span class="" id=":p2.84" tabindex="-1">ip</span> <span class="" id=":p2.85" tabindex="-1">xfrm</span> s </div><div><span class="" id=":p2.86" tabindex="-1">src</span> 10.8.13.2 <span class="" id=":p2.87" tabindex="-1">dst</span> 199.168.148.132</div><div><span class="" style="white-space:pre">        </span><span class="" id=":p2.88" tabindex="-1">proto</span> esp <span class="" id=":p2.89" tabindex="-1">spi</span> 0x00f81546 <span class="" id=":p2.90" tabindex="-1">reqid</span> 1 mode tunnel</div><div><span class="" style="white-space:pre"> </span>replay-window 32 flag <span class="" id=":p2.91" tabindex="-1">af</span>-<span class="" id=":p2.92" tabindex="-1">unspec</span></div><div><span class="" style="white-space:pre">        </span><span class="" id=":p2.93" tabindex="-1">auth</span>-<span class="" id=":p2.94" tabindex="-1">trunc</span> <span class="" id=":p2.95" tabindex="-1">hmac</span>(md5) 0x0f2339e9967a471fdf21022e3fb56e6b 96</div><div><span class="" style="white-space:pre">   </span>enc <span class="" id=":p2.96" tabindex="-1">ecb</span>(cipher_null) </div><div><span class="" style="white-space:pre">   </span><span class="" id=":p2.97" tabindex="-1">encap</span> type <span class="" id=":p2.98" tabindex="-1">espinudp</span> sport 4500 <span class="" id=":p2.99" tabindex="-1">dport</span> 4500 <span class="" id=":p2.100" tabindex="-1">addr</span> 0.0.0.0</div><div><span class="" id=":p2.101" tabindex="-1">src</span> 199.168.148.132 <span class="" id=":p2.102" tabindex="-1">dst</span> 10.8.13.2</div><div><span class="" style="white-space:pre">      </span><span class="" id=":p2.103" tabindex="-1">proto</span> esp <span class="" id=":p2.104" tabindex="-1">spi</span> 0xc59caeda <span class="" id=":p2.105" tabindex="-1">reqid</span> 1 mode tunnel</div><div><span class="" style="white-space:pre">      </span>replay-window 32 flag <span class="" id=":p2.106" tabindex="-1">af</span>-<span class="" id=":p2.107" tabindex="-1">unspec</span></div><div><span class="" style="white-space:pre">      </span><span class="" id=":p2.108" tabindex="-1">auth</span>-<span class="" id=":p2.109" tabindex="-1">trunc</span> <span class="" id=":p2.110" tabindex="-1">hmac</span>(md5) 0x29b22fbf6924301429552dc996118e72 96</div><div><span class="" style="white-space:pre">        </span>enc <span class="" id=":p2.111" tabindex="-1">ecb</span>(cipher_null) </div><div><span class="" style="white-space:pre">  </span><span class="" id=":p2.112" tabindex="-1">encap</span> type <span class="" id=":p2.113" tabindex="-1">espinudp</span> sport 4500 <span class="" id=":p2.114" tabindex="-1">dport</span> 4500 <span class="" id=":p2.115" tabindex="-1">addr</span> 0.0.0.0</div></div><div><br></div><div>







<p class=""><span class=""><span class="" id=":p2.116" tabindex="-1">iptables</span> -t <span class="" id=":p2.117" tabindex="-1">nat</span> -A <span class="" id=":p2.118" tabindex="-1">POSTROUTING</span> -o vnet1 -j MASQUERADE</span>echo 1 > /<span class="" id=":p2.119" tabindex="-1">proc</span>/<span class="" id=":p2.120" tabindex="-1">sys</span>/net/ipv4/<span class="" id=":p2.121" tabindex="-1">ip</span>_forward</p></div><div><span class="" id=":p2.122" tabindex="-1">tcpdump</span> -i lan1 -<span class="" id=":p2.123" tabindex="-1">nl</span> </div><div><span class="" id=":p2.124" tabindex="-1">tcpdump</span>: verbose output suppressed, use -v or -<span class="" id=":p2.125" tabindex="-1">vv</span> for full protocol decode</div><div>listening on lan1, link-type EN10MB (Ethernet), capture size 65535 bytes</div><div>12:16:14.863442 <span class="" id=":p2.126" tabindex="-1">IP</span> 1.1.1.1 > <a href="http://8.8.8.8">8.8.8.8</a>: <span class="" id=":p2.127" tabindex="-1">ICMP</span> echo request, id 31387, seq 246, length 64</div><div>12:16:15.863621 <span class="" id=":p2.128" tabindex="-1">IP</span> 1.1.1.1 > <a href="http://8.8.8.8">8.8.8.8</a>: <span class="" id=":p2.129" tabindex="-1">ICMP</span> echo request, id 31387, seq 247, length 64</div><div><br></div><div><br></div><div><span class="" id=":p2.130" tabindex="-1">tcpdump</span> -i vnet1 -<span class="" id=":p2.131" tabindex="-1">nl</span><br></div><div><br></div><div><div>root@<span class="" id=":p2.132" tabindex="-1">ubuntu</span>:/etc# <span class="" id=":p2.133" tabindex="-1">ip</span> route </div><div>default via 10.8.13.1 <span class="" id=":p2.134" tabindex="-1">dev</span> vnet1 </div><div><a href="http://1.1.1.0/24">1.1.1.0/24</a> <span class="" id=":p2.135" tabindex="-1">dev</span> vlan1  <span class="" id=":p2.136" tabindex="-1">proto</span> kernel  scope link  <span class="" id=":p2.137" tabindex="-1">src</span> 1.1.1.2 </div><div><a href="http://10.8.13.0/24">10.8.13.0/24</a> <span class="" id=":p2.138" tabindex="-1">dev</span> vnet1  <span class="" id=":p2.139" tabindex="-1">proto</span> kernel  scope link  <span class="" id=":p2.140" tabindex="-1">src</span> 10.8.13.2 </div></div><div><br></div><div>Let me know for any other information required. </div><div><br></div><div>Thanks</div><div><span class="" id=":p2.141" tabindex="-1">Naveen</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 23, 2016 at 12:23 AM, Thomas Egerer <span dir="ltr"><<a href="mailto:hakke_007@gmx.de" target="_blank">hakke_007@gmx.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<div><div class="h5"><br>
On March 23, 2016 4:02:48 AM GMT+01:00, Naveen Neelakanta <<a href="mailto:naveen.b.neelakanta@gmail.com">naveen.b.neelakanta@gmail.com</a>> wrote:<br>
>Hello,<br>
><br>
>Is it possible to configure strongswan not to add the below default<br>
>policy rules.<br>
>I am running strong swan in TEST namespace on linux and i don't see<br>
>the arp working from the root name space to namespace interface.  I<br>
>would like to know why ARP between the root namespace and Test<br>
>namespace is not working if i have the below policy rules. i have used<br>
>veth pair to connect namespace and root .<br>
><br>
>src <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
>        socket in priority 0<br>
>src <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
>        socket out priority 0<br>
>src <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
>        socket in priority 0<br>
>src <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
>        socket out priority 0<br>
>src ::/0 dst ::/0<br>
>        socket in priority 0<br>
>src ::/0 dst ::/0<br>
>        socket out priority 0<br>
>src ::/0 dst ::/0<br>
>        socket in priority 0<br>
>src ::/0 dst ::/0<br>
>        socket out priority 0<br>
><br>
>Thanks,<br>
>Naveen<br>
</div></div>>_______________________________________________<br>
>Users mailing list<br>
><a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
><a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
<br>
These socket policies are essential to charon to bypass the xfrm stack of the kernel. You cannot remove them.<br>
<br>
<br>
Thomas<br>
- --<br>
Sent from a mobile device. Please excuse my brevity.<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: APG v1.1.1<br>
<br>
iQI+BAEBCgAoBQJW8kRlIRxUaG9tYXMgRWdlcmVyIDxoYWtrZV8wMDdAZ214LmRl<br>
PgAKCRBit9TjYqwUxvBVEACdETVLmjCn8xo61I85f6ixlMq9SCYqu2p/xxNZ/J/3<br>
qHdl/6ngqFhVoSaPvI3jXSMjElSlrU3I+AcmHYLyPLDBwXZPLJ91mmn1A6eJCEBq<br>
7Q6jd9Xk5KfnYpzR5gyNyDjoyWXXwfKBwO+3U68wZs4f8nk9BEDIxHLGDQaVoYxu<br>
yBHQqrTM9gKzejk9tHTbaRGdKRsALBngRFhPLW4NCSC6AkGTi1/S/nku8tm40IEu<br>
aV4k3sNN4ivCoYb0ksiqHlzeVs23I3dokpR2NMFtxtW3VUwZUmlngrOjuAntc1M+<br>
dZ3qwOsXknI1diwMZMPRVnjDgGqdAwjtGPy76xLZpkFhVtAdJAweNwhnFtCwo+k/<br>
3JMF0JmE7ZPhYMT7U5eGq+ed5qxEffcFMSNgMZgsObP/HJj1m7+1IAbAon+sc2Lf<br>
cN21Ja9EJ4Wf/E8OleBIRiESmUKvzFH5q+iix5EWJ/U93y1OqDOEIcK+o7yOyiGX<br>
POAfsT43YfYiIS18QCQNtpK3xZNDygUND27/OyoZwMeY3KAqO2AiOonHzI4yACyr<br>
CaN4V/5gmd/zszhIegEC4FgqBd2GfhJP90/Cuk2yTrKMADtNWNes4CXU9juEFHXj<br>
6fOpI98DjB1b2tEctEHL8o2u+HBF876i9blmOzqKwYqmV7W7iIo4LP8H61U6/OeB<br>
xw==<br>
=MF5U<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br></div>