[strongSwan] Diagram

Noel Kuntze noel at familie-kuntze.de
Tue Oct 18 21:49:10 CEST 2016

On 18.10.2016 21:43, Brian O'Connor wrote:
> I think I have the decryption process clear but was not clear on the iptables processing for
> encrypted packets.  From what you said, it looks like the NAT-T header is added after the
> iptables processing of an outbound encrypted packet, on the second pass by the
> outbound XFRM lookup. Is my understanding correct?

ESP encapsulation and NAT-T are applied in a single step when the packet is processed in xfrm encode.

Generally, a packet that is sent *from a local process* and is to be protected with IPsec makes two passes
through the OUTPUT PATH part of the graphic:

1) When it is sent by the process and passed through the chains and other parts of Netfilter in the path,
   until it is catched by xfrm lookup and is fed into xfrm encode.
2) When it is passed from xfrm encode into *raw OUTPUT. When that happens, the original packet that was sent by the kernel
   is transformed by xfrm into an ESP or NAT-T packet (That is simply ESP in a UDP shell. Nothing fancy about that.)
   It then traverses through the Netfilter chains as an ESP or UDP packet through the chains and other parts of Netfilter
   until it reaches egress (qdisc).


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161018/dc4d8515/attachment.sig>

More information about the Users mailing list