[strongSwan] XFRM Policy Lookups

Brian O'Connor vk4gtw at bigpond.com
Thu Dec 15 23:06:33 CET 2016

In the diagram at [1], I understand there is a xfrm lookup missing from the forwarding path, as evidenced by
what I see in the output from the ip xfrm policy command, which shows three entries for a packet entering a
VPN responder in an IPsec tunnel, being decrypted, and then forwarded out another IPsec tunnel, if my
understanding of the ip xfrm policy output is correct. 

I understand the xfrm policy lookup in the input path triggers decryption of the incoming IPsec packet,
and the xfrm policy lookup in the output path triggers encryption of the outgoing packet.

My understanding of the packet flow through the diagram at [1] is probably highly erroneous, and I only
have a beginners level of IPsec knowledge overall, but what purpose does the xfrm lookup in the forwarding
path serve, please?

Where can I find a beginner's level description of the xfrm process, please? I find the ip xfrm man page

 [1]   https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg

Brian O'Connor

More information about the Users mailing list