[strongSwan] VTI with 0.0.0.0/0 <---> 0.0.0.0/0 selector support
Shashidhar Patil
shashidhar.patil at gmail.com
Thu Oct 8 11:42:51 CEST 2015
Hi Noel,
Thank you for the help.
Make sure you disabled XFRM on the VTI interface.
I suppose you meant disable_policy. disabling xfrm disable enryption
altogether.
vti.disable_policy=1 disables policy check after decryption and traffic is
fine.
My statement "I did not understand the intent of policy check after
decryption."
was vague. I actually meant why policy check when we know the packet is
meant for VTI and VTI is most of the times used with any to any selectors.
I intend to say that for vti policy check should be disabled by default and
if
required it can be turned on anyway. This can be easily achieved by setting
disable_policy during vti creation either in kernel or user space(sysctl).
Thanks for your help.
-Shashidhar
On Wed, Oct 7, 2015 at 3:42 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Make sure you disabled XFRM on the VTI interface.
>
>
> > I did not understand the intent of policy check after decryption.
> To check if the encapsulated traffic is actually allowed to be tunneled.
> - --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJWFPAHAAoJEDg5KY9j7GZYVwUP/A+J/WYQD+bp+tOo5rjh0m2m
> eWhGeAc/jbzsftHR0v1gALwAOMTK4xRNEb2BpU+o4V0U7Cp0IBjcByiWmDcZ6qqr
> gwX1O54kW7A/+rfiAi2Rxo2qk/8qG2w6DhS9j4CUAbCoM5HVvL5QBut7vN2eFHgC
> BbsJt07IklAJhxC0FjwWI2b2Y3doDVZy6SQL3PJOf5rOHXC/+Y0wRffzl7x7UcyY
> 7INhQFQHsP4W01OKWdQcG/il2tnq0jYDa2jmq3i/Jn1RQEDOIUgPbmPdyqNlkp2+
> YCIRO+8tUHPsMrvMj0Qrd027Sa1ZydA0EFaXUPtRJy0sz5s+jbAnczmSaXPQJH8t
> t2KnRVS37ej0dJJcxCE3vexIF8QQyJFdRFxrHTQzgUgbNNdXSw3d1M/sjQwnFML1
> 9b8kXFxhGm7ptFAfNJqzuoTwWipsdBchrPc3rLc8qYgscqO3LQ8pCGsHhkhGuk7X
> 1NJW5fJ7GInd/nMiLhWqEbbmB5XDduNOy1d/WtRNhKYg3eRZc3d2RPILXotbh3H5
> eh+KP+hB/ntdSf4e+coODFsW1eAsdILt0X0YpxfKeQt3anZ9MUgHyroPI1K0Ixdq
> pGCyZjg4lxvGk8/IhUwdaUDhxjhlNZP1eQ1UD5svRjr4fsymVo/K3M9jXWWpz9mL
> LQvjKCTK1YzgW3f7D1PK
> =zim4
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151008/75ad974a/attachment.html>
More information about the Users
mailing list