| To: | Wolfgang Walter <wolfgang.walter@xxxxxxxxxxxxxxxxxxxx> |
|---|---|
| Subject: | Re: Problem with IPSEC tunnel mode |
| From: | Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> |
| Date: | Fri, 22 Apr 2005 23:27:58 +1000 |
| Cc: | hadi@xxxxxxxxxx, netdev@xxxxxxxxxxx |
| In-reply-to: | <200504221522.49403.wolfgang.walter@xxxxxxxxxxxxxxxxxxxx> |
| References: | <E1DObFc-0000je-00@xxxxxxxxxxxxxxxxxxxxxxxx> <200504221342.10675.wolfgang.walter@xxxxxxxxxxxxxxxxxxxx> <1114172084.7679.15.camel@xxxxxxxxxxxxxxxxxxxxx> <200504221522.49403.wolfgang.walter@xxxxxxxxxxxxxxxxxxxx> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
| User-agent: | Mutt/1.5.6+20040907i |
On Fri, Apr 22, 2005 at 03:22:49PM +0200, Wolfgang Walter wrote: > > I'm not sure how packets of tunnels ending at a host are treated exactly. > Probably the tunnel-packet itself is checked against XFRM_POLICY_IN because > its destination is the host itself. Then it gets decrypted if an entry > appropriate in the sad in (dst,spi) exists. The inner packet gets extracted > and decrypted and is then rerouted. Actually it only gets checked once, after all IPsec decapsulation has been completed. So forwarded packets only ever get checked against the FWD direction. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt |
| Previous by Date: | Re: Problem with IPSEC tunnel mode, Wolfgang Walter |
|---|---|
| Next by Date: | Re: Problem with IPSEC tunnel mode, Wolfgang Walter |
| Previous by Thread: | Re: Problem with IPSEC tunnel mode, Wolfgang Walter |
| Next by Thread: | Re: Problem with IPSEC tunnel mode, Wolfgang Walter |
| Indexes: | [Date] [Thread] [Top] [All Lists] |