netdev
[Top] [All Lists]

Re: Problem with IPSEC tunnel mode

To: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Subject: Re: Problem with IPSEC tunnel mode
From: Wolfgang Walter <wolfgang.walter@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 22 Apr 2005 15:48:43 +0200
Cc: hadi@xxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: <20050422132758.GA22772@xxxxxxxxxxxxxxxxxxx>
Organization: Studentenwerk München
References: <E1DObFc-0000je-00@xxxxxxxxxxxxxxxxxxxxxxxx> <200504221522.49403.wolfgang.walter@xxxxxxxxxxxxxxxxxxxx> <20050422132758.GA22772@xxxxxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: KMail/1.7.2
Am Freitag, 22. April 2005 15:27 schrieb Herbert Xu:
> On Fri, Apr 22, 2005 at 03:22:49PM +0200, Wolfgang Walter wrote:
> > I'm not sure how packets of tunnels ending at a host are treated exactly.
> > Probably the tunnel-packet itself is checked against XFRM_POLICY_IN
> > because its destination is the host itself. Then it gets decrypted if an
> > entry appropriate in the sad in (dst,spi) exists. The inner packet gets
> > extracted and decrypted and is then rerouted.
>
> Actually it only gets checked once, after all IPsec decapsulation has been
> completed.  So forwarded packets only ever get checked against the FWD
> direction.
>

So linux implements things like i.e. ipcomp in esp-tunnel in ah-tunnel as 
bundle instead of feeding it for every transformation into the packet receive 
code again? I assume that incoming packets which are subject to several 
ipsec-transformations are exactly seen twice in netfilter PREROUTING: first 
before decapsulation and then after complete decapsulation?

Greetings,
-- 
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts
Leopoldstraße 15
80802 München


<Prev in Thread] Current Thread [Next in Thread>