lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <a72d2a4e-c6fa-09b5-cda3-6070a1d9b574@candelatech.com>
Date:   Tue, 25 May 2021 07:41:19 -0700
From:   Ben Greear <greearb@...delatech.com>
To:     David Ahern <dsahern@...il.com>,
        Rob Dover <Rob.Dover@...aswitch.com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: XFRM programming with VRF enslaved interfaces

On 4/15/21 12:37 PM, David Ahern wrote:
> [ cc Ben ]
> 
> On 4/15/21 9:51 AM, Rob Dover wrote:
>> Hi there,
>>
>> I'm working on an application that's programming IPSec connections via XFRM on VRFs. I'm seeing some strange behaviour in cases where there is an enslaved interface on the VRF - was wondering if anyone has seen something like this before or perhaps knows how this is supposed to work?
> 
> Ben was / is looking at ipsec and VRF. Maybe he has some thoughts.

My thought is that openvpn is nearly impossible to use in interesting ways by itself,
and when added to vrf, it is too complicated for me to deal with.  I eventually managed to sort of get
it to work.  I forget the details, but I think I had to put the 'real' network device in one vrf
and the xfrm in another.  Probably I posted my example to the mailing list...

You do need recent kernel and openvpn to have a chance of this working.

Thanks,
Ben


-- 
Ben Greear <greearb@...delatech.com>
Candela Technologies Inc  http://www.candelatech.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ