lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1455132654694.33181@vmware.com>
Date:	Wed, 10 Feb 2016 19:30:38 +0000
From:	Mukesh Hira <mhira@...are.com>
To:	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: ip xfrm transport mode forwarding policy

Hi,

For a particular application, I am working on configuring a Linux host to receive IPSec traffic in transport mode on one interface, decrypt and forward the traffic in the clear on another interface.

I have configured a transport mode ip xfrm policy with dir fwd and corresponding ip xfrm state.

However, the IPSec traffic is being dropped with XfrmInTmplMismatch counter incrementing. Upon adding some debug statements and recompiling the kernel, I found that the IPSec transport mode traffic is taking the following path -

ip_forward calls __xfrm_policy_check - Here, skb->sp is null, hence a dummy sec_path gets passed to xfrm_policy_ok which returns -1 because the dummy sec_path has length 0.

How does one go about configuring IPSec transport mode forwarding? Is this supposed to work? Or does IPSec decryption followed by forwarding only work in tunnel mode?

Thanks,
Mukesh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ