[strongSwan] __xfrm_policy_check for forwarding tunnel setup
Deepak Khandelwal
dazz.87 at gmail.com
Sun Mar 8 19:13:30 CET 2015
Hi,
i have a IPSec Tunnel in forwarding setup as below.
Host X ---plain packets--- EP-A ---ipsec tunnel----EP-B ---plain packet---
HOST Y
Host X and Host Y communicate to each other (eg. ping) with 2 next hops in
between EP-A and EP-B.
IPSec Tunnel is setup b/w EP-A and EP-B to encrypt all Traffic (0.0.0.0/0
-- 0.0.0.0/0)
i could see the traffic from X reach to EP-A, but from there it is not able
to forward packets to EP-B via tunnel.
There are XfrmInTmplMismatch error counters increasing.
After debugging, it looks that the plain packet (skb->sp = NULL)
which reach to EP-A, trying to match either with "in" or "fwd" template in
__xfrm_policy_check. this checks fails and packets getting dropped with
XfrmInTmplMismatch error counters increasing.
in short if plain incoming packets, matches to "fwd" or "in" policy this
error counter increase and packets get drop.
Is this a expected behavior ? or there any bug in kernel (xfrm) ?
# ip xfrm policy
src 0.0.0.0/0 dst 0.0.0.0/0 proto icmp
dir fwd priority 3002
tmpl src 20.0.0.2 dst 20.0.0.1
proto esp reqid 0 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0 proto icmp
dir in priority 3002
tmpl src 20.0.0.2 dst 20.0.0.1
proto esp reqid 16385 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0 proto icmp
dir out priority 3002
tmpl src 20.0.0.1 dst 20.0.0.2
proto esp reqid 16384 mode tunnel
P.S. without ipsec traffic flows fine so there is no route issue.
Thanks !
Best Regards,
Deepak
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150308/49fb250c/attachment.html>
More information about the Users
mailing list