netdev
[Top] [All Lists]

Re: Problem with IPSEC tunnel mode

To: Wolfgang Walter <wolfgang.walter@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: Problem with IPSEC tunnel mode
From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 22 Apr 2005 23:53:07 +1000
Cc: hadi@xxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: <200504221548.44560.wolfgang.walter@studentenwerk.mhn.de>
References: <E1DObFc-0000je-00@gondolin.me.apana.org.au> <200504221522.49403.wolfgang.walter@studentenwerk.mhn.de> <20050422132758.GA22772@gondor.apana.org.au> <200504221548.44560.wolfgang.walter@studentenwerk.mhn.de>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.5.6+20040907i
On Fri, Apr 22, 2005 at 03:48:43PM +0200, Wolfgang Walter wrote:
> 
> So linux implements things like i.e. ipcomp in esp-tunnel in ah-tunnel as 
> bundle instead of feeding it for every transformation into the packet receive 
> code again? I assume that incoming packets which are subject to several 
> ipsec-transformations are exactly seen twice in netfilter PREROUTING: first 
> before decapsulation and then after complete decapsulation?

The packet is fed into each transform as you would expect.  However,
the policy check is done only once at the very end (unless raw sockets
are involved in which case it can occur multiple times).

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

<Prev in Thread] Current Thread [Next in Thread>