[strongSwan] Problem sending a packet out a raw socket over IPsec

Lin, Clifton (US SSA) clifton.lin at baesystems.com
Tue Jun 21 17:10:40 CEST 2011


Hi Martin,

Yes, the IP packets sent out the raw socket have the correct source and destination addresses.  Without any other firewall rules, the packets are being transmitted out the Ethernet interface as plain IP (non-ESP) packets, and I can see them using wireshark.

I am generating the packets with SOCK_RAW, and I have set up the raw socket using the following syntax:

int fd = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);

Yes, when I tried sending a packet over a UDP socket, it was encapsulated as an ESP packet and transmitted, as expected.

Hmm, this was my fear that the Linux kernel simply does not route locally generated RAW packets through XFRM.  Is there any other way to make a locally-generated IP packet go through XFRM?

Thanks,
Clifton

-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org] 
Sent: Tuesday, June 21, 2011 10:26 AM
To: Lin, Clifton (US SSA)
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Problem sending a packet out a raw socket over IPsec


> Status of IKEv2 charon daemon (strongSwan 4.5.2dr2):

Might be a good idea to update to 4.5.2, the developer releases are not
tested very well.

> I am trying to send an arbitrary IP packet out a raw socket destined
> for the other host, and I would like for this IP packet to traverse the
> IPsec connection.

Do the IP packets (on the wire) use the correct source and destination
addresses (10.41.42.210 === 10.41.42.215)?

I'm not sure if the Linux kernel routes locally generated RAW packets
through the XFRM subsystem. How do you generate them (SOCK_RAW or
AF_PACKET)? Does a packet generated with a UDP socket behave as
expected?

Regards
Martin



More information about the Users mailing list