[strongSwan] Questions about the netkey hooks in linux netfilter
NGO MAEMBLE Ruth-Stephanie
ruth-stephanie.ngomaemble at thalesgroup.com
Fri Jun 22 10:46:47 CEST 2012
Hello,
My question is about the Netkey Hooks in Linux Netfilter (http://strongswan.org/docs/LinuxKongress2009-strongswan.pdf, ppt 37). I want to understand the data path. Here is my understanding :
[cid:image001.jpg at 01CD4FA6.D8F12460]
1 - The host receives an ESP packet that is intended to it on its interface.
2 - The input chain accepts this ESP packet that comes into the network layer.
3 - The ESP packet is decapsulated according the appropriate SA. I have no idea about state in/out meaning. I think that policy in/out/forward refer to the policy module, doesn't it ?
4 - The decapsulated packet appears again on the same interface. In fact when a host receives ESP packets, we noticed that a tcpdump capture shows both ESP encapsulated and original packets. This is a particularity of the Netkey stack.
5 - The packet can pass through the input chain only if it meets the properties claimed by the policy module, e.g.
pkts bytes target prot opt in out source destination
1 148 ACCEPT all -- eth0 * 10.1.0.0/16 192.168.0.100 policy match dir in pol ipsec reqid 1 proto 50
in that example, all trafic from subnet 10.1.0.0/16 is accepted only if it previously used the appropriate IPSec policy.
Please help me and tell me if I am wrong.
Regards,
Stéphanie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120622/46eb7b8f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 9032 bytes
Desc: image001.jpg
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120622/46eb7b8f/attachment.jpg>
More information about the Users
mailing list