lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <49675C3E.6010109@iki.fi>
Date:	Fri, 09 Jan 2009 16:16:30 +0200
From:	Timo Teräs <timo.teras@....fi>
To:	netdev@...r.kernel.org
Subject: ip xfrm policy semantics

Hi,

I'm trying to setup a vpnc gateway device that is a part of Cisco DMVPN and also
generic NAT gateway to Internet.

The DMVPN part is achieved by a gre tunnel, which is protected by IPsec xfrm
policy.

So I want to encrypt all GRE traffic that is to/from the local box, thus I have:
src 0.0.0.0/0 dst 0.0.0.0/0 proto gre 
	dir in priority 2147483648 ptype main 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 0.0.0.0/0 dst 0.0.0.0/0 proto gre 
	dir out priority 2147483648 ptype main 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport

Which works perfect for the DMVPN part.

Now, I have a second device behind a subnet, that wants to talk to Internet
using PPTP (which ends up sending GRE packets). So what I want is that locally
generated / received packages should be protected by the ipsec policy. But
forwarded GRE packets (that are masqueraded) should not get any xfrm treatment.

It looks like that if xfrm out policy still affects the forwarded packets.
If I add an overriding policy for the PPTP server, things seem to work
better. But I'd rather not do that as it's a bit hacky.

I was not able to find any authoritative place how netfilter and xfrm policies
and routing interact. The only thing I found was [1], but that seems to be
inaccurate. Anyone care to shed light on this part?

Thanks,
  Timo

[1] http://www.strongswan.org/docs/netfilter.pdf

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ