netdev - vrf and ipsec xfrm routing problem

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <1425d02c-de99-b708-e543-b7fe3f0ef07e@candelatech.com>
Date:   Fri, 17 Jan 2020 09:49:35 -0800
From:   Ben Greear <greearb@...delatech.com>
To:     netdev <netdev@...r.kernel.org>
Subject: vrf and ipsec xfrm routing problem

Hello,

I'm back to mucking with xfrm and vrfs.  I am currently able to get the
xfrm interface to connect to the ipsec peer and get an IP address.

But, when I bind a UDP socket to the x_eth4 xfrm device, the packets
go out of eth4 instead.

Based on the problems I was having with multicast, I am thinking this might just be some routing problem.

# ip route show vrf _vrf4
default via 192.168.5.1 dev eth4
192.168.5.0/24 dev eth4 scope link src 192.168.5.4

# ip addr show dev eth4
7: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master _vrf4 state UP group default qlen 1000
     link/ether 00:30:18:01:63:eb brd ff:ff:ff:ff:ff:ff
     inet 192.168.5.4/24 brd 192.168.5.255 scope global eth4
        valid_lft forever preferred_lft forever

# ip addr show dev x_eth4
30: x_eth4@...4: <NOARP,UP,LOWER_UP> mtu 1440 qdisc noqueue master _vrf4 state UNKNOWN group default qlen 1000
     link/none 00:30:18:01:63:eb brd ff:ff:ff:ff:ff:ff
     inet 192.168.10.101/32 scope global x_eth4
        valid_lft forever preferred_lft forever
     inet6 fe80::f6ec:3e67:9b7b:60c9/64 scope link stable-privacy
        valid_lft forever preferred_lft forever

I tried adding a route to specify the x_frm as source, but that does not appear to work:

[root@...313-63e7 lanforge]# ip route add 192.168.10.0/24 via 192.168.5.1 dev x_eth4 table 4
[root@...313-63e7 lanforge]# ip route show vrf _vrf4
default via 192.168.5.1 dev eth4
192.168.5.0/24 dev eth4 scope link src 192.168.5.4
192.168.10.0/24 via 192.168.5.1 dev eth4

I also tried this, but no luck:

[root@...313-63e7 lanforge]# ip route add 192.168.10.0/24 via 192.168.10.1 dev x_eth4 table 4
Error: Nexthop has invalid gateway.

Any ideas about where my problem might lie?

Thanks,
Ben

-- 
Ben Greear <greearb@...delatech.com>
Candela Technologies Inc  http://www.candelatech.com