[strongSwan] Questions about the netkey hooks in linux netfilter

Martin Willi martin at strongswan.org
Fri Jun 22 11:03:58 CEST 2012

Hello Stéphanie,

> 3 - The ESP packet is decapsulated according the appropriate SA. I
> have no idea about state in/out meaning. I think that policy
> in/out/forward refer to the policy module, doesn't it ?

State in/out means the IPsec ESP SA, basically what you see with "ip
xfrm state". Based on the ESP SPI on the packet, it gets
decrypted/verified using the keys for this SA. After this stage, the
packet is plain.

> 4 - The decapsulated packet appears again on the same interface. In
> fact when a host receives ESP packets, we noticed that a tcpdump
> capture shows both ESP encapsulated and original packets. This is a
> particularity of the Netkey stack.

Yes, the Wireshark/tcpdump hooks are placed somewhere near INPUT, hence
they are seen twice. For outgoing packets, this is not the case, you see
them only encrypted. This is because the hook is after "policy out".

> 5 - The packet can pass through the input chain only if it meets the
> properties claimed by the policy module, e.g.

Yes. If the policy matches after "state in", the packet is passed along,
with a tag to that policy. This tag can be used for iptables policy
matching, as done with your rule. Restricting the source address is not
really required, as this is already checked by your IPsec policy. If
this check is the same as in your IPsec policy, you're verifying the
packet twice. iptables policy matching is usually used to do more
advanced checks, not doable with policies, or as an additional barrier.

Please be aware that this chart is a simplification of the packet flow
for illustrative purposes. The details are a little more complicated,
and there is probably no way around reading kernel sources to understand

Kind Regards

More information about the Users mailing list