[strongSwan] __xfrm_policy_check for forwarding tunnel setup

Andreas Steffen andreas.steffen at strongswan.org
Sun Mar 8 20:29:59 CET 2015 

Hi Deepak,

defining a traffic selector of 0.0.0.0/0 on both sides of the tunnel
does not work since this causes routing problems. The IPsec endpoint
does not know whether the packet has to go through the tunnel or to
the network behind the gateway.

Best regards

Andreas

On 03/08/2015 07:13 PM, Deepak Khandelwal wrote:
> Hi,
> 
> i have a IPSec Tunnel in forwarding setup as below.
> 
> Host X ---plain packets--- EP-A ---ipsec tunnel----EP-B ---plain
> packet--- HOST Y
> 
> Host X and Host Y communicate to each other (eg. ping) with 2 next hops
> in between EP-A and EP-B.
> IPSec Tunnel is setup b/w EP-A and EP-B to encrypt all Traffic
> (0.0.0.0/0 <http://0.0.0.0/0> -- 0.0.0.0/0 <http://0.0.0.0/0>)
> 
> i could see the traffic from X reach to EP-A, but from there it is not
> able to forward packets to EP-B via tunnel.
> There are XfrmInTmplMismatch  error counters increasing.
> 
> After debugging, it looks  that the plain packet (skb->sp = NULL)
> which reach to EP-A, trying to match either with "in" or "fwd" template
> in __xfrm_policy_check. this checks fails and packets getting dropped
> with XfrmInTmplMismatch  error counters increasing.
> 
> in short if plain incoming packets, matches to "fwd" or "in" policy this
> error counter increase and packets get drop.
> 
> Is this a expected behavior ? or there any bug in kernel (xfrm) ?
> 
> # ip xfrm policy
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> proto
> icmp
>     dir fwd priority 3002
>     tmpl src 20.0.0.2 dst 20.0.0.1
>         proto esp reqid 0 mode tunnel
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> proto
> icmp
>     dir in priority 3002
>     tmpl src 20.0.0.2 dst 20.0.0.1
>         proto esp reqid 16385 mode tunnel
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> proto
> icmp
>     dir out priority 3002
>     tmpl src 20.0.0.1 dst 20.0.0.2
>         proto esp reqid 16384 mode tunnel
> 
> 
> P.S. without ipsec traffic flows fine so there is no route issue.
> 
> 
> Thanks !
> 
> Best Regards,
> Deepak
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150308/46b30b7b/attachment-0001.bin>

More information about the Users mailing list