ipsec xfrm esp routing

i need a little help/explanation why the following netsetup is not working:

PC1 (192.168.66.1) <-- PLAIN --> (192.168.66.2)PC-GW(192.168.88.2) <-- ESP --> (192.168.88.1) PC2

I can send packets from PC1 192.168.66.1 to PC2 192.168.88.1 and the PC-GW encapsulate esp and the PC2 recv the esp packets, it works fine.

But if i send esp packets from PC2 192.168.88.1 to PC1 192.168.66.1, the PC-GW forwaded the esp packets without decapsulate/decryption and PC1 gets an esp packet.

If both systems use ESP it works fine:

PC1 (192.168.66.1) <-- ESP--> (192.168.88.1) PC2

I have tried several different configuration, this is the commands i use:

ip xfrm state add src 192.168.66.1/32 dst 192.168.88.1/32 proto esp spi 0x01000000 reqid 0x01000000 mode transport aead 'rfc4106(gcm(aes))' 0x000000000000000000000000000000000000000000000000000000000000000000000000 128 sel src 192.168.66.1/32 dst 192.168.88.1/32
ip xfrm state add src 192.168.88.1/32 dst 192.168.66.1/32 proto esp spi 0x01000000 reqid 0x02000000 mode transport aead 'rfc4106(gcm(aes))' 0x000000000000000000000000000000000000000000000000000000000000000000000000 128 sel src 192.168.88.1/32 dst 192.168.66.1/32
ip xfrm policy add src 192.168.66.1/32 dst 192.168.88.1/32 dir out tmpl src 192.168.66.1/32 dst 192.168.88.1/32 proto esp reqid 0x01000000 mode transport
ip xfrm policy add src 192.168.88.1/32 dst 192.168.66.1/32 dir in tmpl src 192.168.88.1/32 dst 192.168.66.1/32 proto esp reqid 0x02000000 mode transport

With help of tcpdump i have captured all interfaces.

I don't use openswap, this test setup is not a real use scenario. This is just to try out and i want to learn how it works.

Solution 1:

That's not how Transport Mode is supposed to be used (i.e. with forwarded traffic and IP addresses that are not local to the system). You might want to to look into BEET mode (never standardized), which is similar to Transport Mode, in that it does not add an additional IP header, but allows replacing the source and destination IP addresses and which the Linux kernel and some IKE daemons support.

Having said that, let me try to explain what you are seeing. The Linux kernel matches forwarded traffic first against fwd policies, but then also against out policies, which is why the outbound traffic is processed by the outbound IPsec SA. However, there is no IPsec SA lookup for the inbound traffic because the destination IP address is not local, i.e. that traffic is forwarded right away for best performance.

How can I grant Dial-In / Network Access Permission to local account via command line?

mdadm how to use an array as a "member disk" in another array

Is it possible to deploy 2 TLS certificates on a server at the same time?

Finding GPO policy which set's LocalAccountTokenFilterPolicy to 0 on startup

Resetting factory defaults - HP Proliant DL360 gen8

MySQL Error: Can't create thread to handle new connection(errno= 11) triggered by many Gunicorn API requests

What are common variables to mention in an inventory ansible yaml file?

Getting PID from lsof list

Single word request for a plane flight which will be stopping to refuel?

A word for 'treated-out' or 'therapied-out' - all medical treatment exhausted without effect

"Can I bum a cigarette?" - "I’m an athlete"

Etymology of 'ballpark figure'? [duplicate]