[strongSwan] Diagram

[Noel Kuntze]

On 18.10.2016 22:11, Brian O'Connor wrote:
> 
> So, for forwarded traffic (as distinct from locally source packets), I understand the packet to
> flow through the mangle and nat postrouting chains twice, and the other iptables
> output chains for raw, mangle, nat and filter tables only once after encryption.

That depends on where the packet originally came from. If it comes in an ESP/NAT-T packet,
it circulates through the INPUT PATH two times (Once as ESP/NAT-T packet and once as unprotected packet).
If it is an unprotected packet, it only goes through INPUT path once (as unproteced packet).


> On the first pass through the mangle and nat postrouting chains, iptables rules would
> operate on the unencrypted payload packet and on the second pass on the IP headers of
> the encrypted IPsec packet.

If the packet matches an IPsec policy with OUTPUT flag set, then yes.

We need to strongly differentiate in this discussion where the packet actually comes from and where it goes to
(If it was/is in an ESP/NAT-T/AH packet, if there is a matching INPUT policy for it in the SAD and SPD
and analog if it's a packet that is going to protected with IPsec (that is, if there's a matching policy in the SPD
for it with the correct mode and if it's a policy that has the correct mode).

A packet that goes through netfilter *4* times would be a packet that is received as an ESP/NAT-T/AH packet,
has a matching SA and SP, is allowed by your netfilter rules, is locally decapsulated, routed,
encapsulated and allowed again and then sent to another host again.

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161018/c89acebc/attachment.sig>