[strongSwan] VTI with 0.0.0.0/0 <---> 0.0.0.0/0 selector support

Shashidhar Patil shashidhar.patil at gmail.com
Wed Oct 7 09:04:48 CEST 2015


Hi There,
     I have a setup of ipsec between two linux boxes running ubuntu, kernel
version 3.16.0-50.
VTI interface is configured with ikey and okey. The IPsec connection has
0.0.0.0/0 --- 0.0.0.0/0
as selector on both sides. I have disabled install_routes in charon.conf so
that I can add routes
and avoid all traffic getting encrypted. The send works fine. On receive
side decryption also
happens and I can see the plan text packet using tcpdump on the VTI
interface. But the packet
gets dropped later. /proc/bet/xfrm_stat shows XfrmInTmplMismatch
incremented. This counter
indicates that packet was dropped because of invalid policy.
But I do see the plain text packet in tcpdump which means netif_rx was
called. After that there must
be one more xfrm_policy_check which could be dropping the packet. THe
policy check happens
once before the packet decryption. THe policy check happens once after the
decryption.
I did not understand the intent of policy check after decryption.


Is 0.0.0.0/0 <---> 0.0.0.0/0 an unsupported IPsec selector even when VTI is
used
with install_routes set to no ?
A post to this mail with similar setup albeit without install_routes
disabled was posted
a while ago.
http://comments.gmane.org/gmane.network.vpn.strongswan.user/9404


Please help.

Thanks
-Shashidhar
PS - the same configuration works fine with linux-3.16.0-30 kernel. Kernel
hangs after couple
of hours of traffic though.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151007/7756680b/attachment.html>


More information about the Users mailing list