[strongSwan] some conceptual ipsec/iptables/policy questions
Andreas Steffen
andreas.steffen at strongswan.org
Mon Oct 4 19:17:43 CEST 2010
On 10/04/2010 03:38 PM, Christoph Anton Mitterer wrote:
> Hi again.
>
> (And sorry for bugging you over and over again ;) )
>
yeah, if the doctor is in, it will cost 50 cents ;-)
>
> First perhaps some conceptual questions (whether I've understood it
> right):
>
> 1) The IPsec policies (the stuff one gets with "ip xfrm policy")... this
> is basically what strongswan sets up, and the rules how the kernel IPsec
> code has to apply IPsec (encapsulation or decapsulation) on packets, right?
>
yes
> Given how this looks at my system:
>> src 1.0.0.1/32 dst 2.0.0.2/32
>> dir fwd priority 1680 ptype main
>> tmpl src 1.0.0.1 dst 2.0.0.2
>> proto esp reqid 1 mode tunnel
> => Tells the kernel to do IPsec processing with any packet being
> _forwarded_ from 1.0.0.1 to 2.0.0.2 (when they're used as gateway with the
> left/rightsubnet options)... by using esp/tunnel mode?
> a) Why's there no fwd rule in the other direction?
Ask the Linux kernel developers!
> b) Why is there this rule at all, as I didn't use left/rightsubnet and
> just have a connection between host-host.
>
With type=tunnel we always insert a fwd policy since we don't check
if left|rightsubnet equal left or right, respectively. The fwd policy
does not do any harm.
>> src 1.0.0.1/32 dst 2.0.0.2/32
>> dir in priority 1680 ptype main
>> tmpl src 1.0.0.1 dst 2.0.0.2
> proto esp reqid 1 mode tunnel
> => Tells the kernel to do IPsec processing with any packet incoming from
> 1.0.0.1 to 2.0.0.2... by using esp/tunnel mode?
>
>> src 2.0.0.2/32 dst 1.0.0.1/32
>> dir out priority 1680 ptype main
>> tmpl src 2.0.0.2 dst 1.0.0.1
>> proto esp reqid 1 mode tunnel
> => Tells the kernel to do IPsec processing with any packet outgoing from
> 2.0.0.2 to 1.0.0.1... by using esp/tunnel mode?
>
>> src ::/0 dst ::/0
>> dir 3 priority 0 ptype main
>> src ::/0 dst ::/0
>> dir 4 priority 0 ptype main
>> src ::/0 dst ::/0
>> dir 3 priority 0 ptype main
>> src ::/0 dst ::/0
>> dir 4 priority 0 ptype main
>> src ::/0 dst ::/0
>> dir 3 priority 0 ptype main
>> src ::/0 dst ::/0
>> dir 4 priority 0 ptype main
>> src 0.0.0.0/0 dst 0.0.0.0/0
>> dir 3 priority 0 ptype main
>> src 0.0.0.0/0 dst 0.0.0.0/0
>> dir 4 priority 0 ptype main
>> src 0.0.0.0/0 dst 0.0.0.0/0
>> dir 3 priority 0 ptype main
>> src 0.0.0.0/0 dst 0.0.0.0/0
>> dir 4 priority 0 ptype main
>> src 0.0.0.0/0 dst 0.0.0.0/0
>> dir 3 priority 0 ptype main
>> src 0.0.0.0/0 dst 0.0.0.0/0
>> dir 4 priority 0 ptype main
> => What are these (dir 3 and 4) and why does each rule appear twice?
>
These are policies that exempt the IKE protocol (ports 500 and 4500)
from tunneling.
> These policies are the ones matched with iptables' "policy" match?!
>
>
>
> 2) How does the packages flow through the stack/netfilter?
> (I've used this
> http://en.wikipedia.org/wiki/File:Netfilter-packet-flow.svg overview)
>
> a) The en/decapsulation does _not_ take place "in" the mangle stage (which
> I've guess first) but this xfrm stage, right?
> b) Some poor man's ping and -j LOG tests showed me about this:
> Incoming:
> - an ESP packet arrives, goes through all tables (at some point finally
> filter/INPUT)
> - it's decrypted/authenticated/decapsulated in th xfrm "layer"
> - the resulting package (no longer ESP but e.g. ICMP) is newly injected
> and goes ("again") through all tables (at some point finally filter/INPUT).
> - it's delivered to the process.
>
that's more or less correct. Since there is no documentation please
inspect the kernel code.
> If decryption/authentication would fail, then simply no "2nd" package
> would be injected?
>
> Outgoing: analogous?
>
>
> Thanks in advance :)
>
> Chris.
Regards
Andreas
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list