[strongSwan] [strongSwan-dev] install policy to kernel using netlink_xfrm

Andreas Steffen andreas.steffen at strongswan.org
Mon Sep 17 11:50:30 CEST 2012

Hi Hyun,

On 17.09.2012 06:24, Yoo Hyun wrote:
> Thank you, Andreas
> I have one more question..
> Why check inbound traffic after decryption?
> I think firewall can control traffic.
Section 4.4.1 "The Security Policy Database (SPD)" of IPsec
RFC 4301 mandates the enforcement of the IPsec Policy for both
outbound *and* inbound directions:


   The SPD, or relevant caches, must be consulted during the
   processing of all traffic (inbound and outbound), including traffic
   not protected by IPsec, that traverses the IPsec boundary.

Thus an RFC 4301 compliant IPsec implementation is not allowed to
defer the enforcement of the inbound IPsec policy to a firewall.

> Could I get example for using XFRM_POLICY_IN and XFRM_POLICY_FWD?
In the following remote access scenario


XFRM_POLICY_IN controls the inbound traffic of the hosts carol
and dave


whereas XFRM_POLICY_FWD on gateway moon controls inbound traffic
e.g. to the client alice in the subnetwork behind the gateway


XFRM_POLICY_IN would only be used for traffic terminating on
the gateway moon itself:



> Thank you,
> Hyun
> 2012/9/17 Andreas Steffen <andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>>
>     Hi Hyun,
>     On 09/17/2012 03:53 AM, 유현 wrote:
>     > Hi, *
>     >
>     > I have one question about installing policy to kernel.
>     >
>     > strongSwan sets policies for three directions(XFRM_POLICY_IN,
>     > XFRM_POLICY_OUT, XFRM_POLICY_FWD) in tunnel mode.
>     >
>     > I think only XFRM_POLICY_OUT is checked to encrypt packet.. right?
>     >
>     Yes, that's correct.
>     > Why install XFRM_POLICY_IN and XFRM_POLICY_FWD ?
>     >
>     These policies are used to check inbound traffic after decryption.
>     It is not allowed to tunnel traffic which does not match the
>     IPsec policy. XFRM_POLICY_IN is applied to traffic intended for
>     the VPN host/gateway itself and XFRM_POLICY_FWD for traffic
>     forwarded to a network behind the VPN gateway (similar to the
>     IN and FORWARD netfilter chains). With host-to-host IPsec transport
>     mode the XFRM_POLICY_FWD policy is not installed.
>     > Thank you,
>     > Hyun
>     Regards
>     Andreas

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4502 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120917/25b2f1c6/attachment.bin>

More information about the Users mailing list