lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 17 Jan 2020 09:49:35 -0800
From:   Ben Greear <>
To:     netdev <>
Subject: vrf and ipsec xfrm routing problem


I'm back to mucking with xfrm and vrfs.  I am currently able to get the
xfrm interface to connect to the ipsec peer and get an IP address.

But, when I bind a UDP socket to the x_eth4 xfrm device, the packets
go out of eth4 instead.

Based on the problems I was having with multicast, I am thinking this might just be some routing problem.

# ip route show vrf _vrf4
default via dev eth4 dev eth4 scope link src

# ip addr show dev eth4
7: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master _vrf4 state UP group default qlen 1000
     link/ether 00:30:18:01:63:eb brd ff:ff:ff:ff:ff:ff
     inet brd scope global eth4
        valid_lft forever preferred_lft forever

# ip addr show dev x_eth4
30: x_eth4@...4: <NOARP,UP,LOWER_UP> mtu 1440 qdisc noqueue master _vrf4 state UNKNOWN group default qlen 1000
     link/none 00:30:18:01:63:eb brd ff:ff:ff:ff:ff:ff
     inet scope global x_eth4
        valid_lft forever preferred_lft forever
     inet6 fe80::f6ec:3e67:9b7b:60c9/64 scope link stable-privacy
        valid_lft forever preferred_lft forever

I tried adding a route to specify the x_frm as source, but that does not appear to work:

[root@...313-63e7 lanforge]# ip route add via dev x_eth4 table 4
[root@...313-63e7 lanforge]# ip route show vrf _vrf4
default via dev eth4 dev eth4 scope link src via dev eth4

I also tried this, but no luck:

[root@...313-63e7 lanforge]# ip route add via dev x_eth4 table 4
Error: Nexthop has invalid gateway.

Any ideas about where my problem might lie?


Ben Greear <>
Candela Technologies Inc

Powered by blists - more mailing lists