[strongSwan] Questions about the netkey hooks in linux netfilter

NGO MAEMBLE Ruth-Stephanie ruth-stephanie.ngomaemble at thalesgroup.com
Fri Jun 22 10:46:47 CEST 2012


My question is about the Netkey Hooks in Linux Netfilter (http://strongswan.org/docs/LinuxKongress2009-strongswan.pdf, ppt 37). I want to understand the data path. Here is my understanding :

[cid:image001.jpg at 01CD4FA6.D8F12460]

1 - The host receives an ESP packet that is intended to it on its interface.

2 - The input chain accepts this ESP packet that comes into the network layer.

3 - The ESP packet is decapsulated according the appropriate SA. I have no idea about state in/out meaning. I think that policy in/out/forward refer to the policy module, doesn't it ?

4 - The decapsulated packet appears again on the same interface. In fact when a host receives ESP packets, we noticed that a tcpdump capture shows both ESP encapsulated and original packets. This is a particularity of the Netkey stack.

5 - The packet can pass through the input chain only if it meets the properties claimed by the policy module, e.g.
pkts bytes target     prot opt in     out     source               destination
    1   148 ACCEPT     all  --  eth0   *       policy match dir in pol ipsec reqid 1 proto 50

in that example, all trafic from subnet is accepted only if it previously used the appropriate IPSec policy.

Please help me and tell me if I am wrong.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120622/46eb7b8f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 9032 bytes
Desc: image001.jpg
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120622/46eb7b8f/attachment.jpg>

More information about the Users mailing list