[strongSwan-dev] What is the purpose of kernel's IPsec IN policies?

Sebastian Wurst wurstsebastian80 at gmail.com
Wed Jul 30 06:53:34 CEST 2014


I know that IPsec OUT policy is used to determine which egress packets need
to be encrypted in "XFRM lookup" box [
http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
].

But what is the purpose of IPsec IN policy? I verified with ping and
tcpdump that packets were still successfully encrypted and decrypted even
If I don't have any IPsec IN policies (see below "ip xfrm" commands that I
executed on both hosts. Also, I removed strongSwan from the picture here
for clarity).

SRC=1.1.1.10; # swap SRC with DST on the peer
DST=2.1.1.10;

KEY1=0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
KEY2=0xbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
ID=0x00000001

ip xfrm state flush; ip xfrm policy flush
ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode
transport auth sha256 $KEY1 enc aes $KEY2 sel src 0.0.0.0/0 dst 0.0.0.0/0
ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode
transport auth sha256 $KEY1 enc aes $KEY2 sel src 0.0.0.0/0 dst 0.0.0.0/0
ip xfrm policy add src $SRC dst $DST dir out tmpl src $SRC dst $DST proto
esp reqid $ID mode transport
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20140729/eb78971c/attachment.html>


More information about the Dev mailing list