lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20190215101158.GA6926@legohost>
Date:   Fri, 15 Feb 2019 13:11:59 +0300
From:   Oleg <lego12239@...dex.ru>
To:     netdev@...r.kernel.org
Subject: ip xfrm policy, dir out vs dir fwd

  Hi, all.

I don't understand why i need to create dir out policy for transit
ipsec traffic?

For example(conf from 192.168.77.1; it acts as a gateway between world and
private network behind 192.168.77.35):

ip xfrm policy add src 192.168.77.35 dst 0.0.0.0/0 dir fwd tmpl src 192.168.77.35 dst 192.168.77.1 proto esp reqid 1 mode tunnel
ip xfrm policy add src 0.0.0.0/0 dst 192.168.77.35 dir fwd tmpl src 192.168.77.1 dst 192.168.77.35 proto esp reqid 2 mode tunnel

doesn't work. But:

ip xfrm policy add src 192.168.77.35 dst 0.0.0.0/0 dir fwd tmpl src 192.168.77.35 dst 192.168.77.1 proto esp reqid 1 mode tunnel
ip xfrm policy add src 0.0.0.0/0 dst 192.168.77.35 dir out tmpl src 192.168.77.1 dst 192.168.77.35 proto esp reqid 2 mode tunnel

works well.

May be anybody can help me with this?

Thanks!

-- 
Олег Неманов (Oleg Nemanov)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ