ipsec xfrm esp routing
i need a little help/explanation why the following netsetup is not working:
PC1 (192.168.66.1) <-- PLAIN --> (192.168.66.2)PC-GW(192.168.88.2) <-- ESP --> (192.168.88.1) PC2
I can send packets from PC1 192.168.66.1 to PC2 192.168.88.1 and the PC-GW encapsulate esp and the PC2 recv the esp packets, it works fine.
But if i send esp packets from PC2 192.168.88.1 to PC1 192.168.66.1, the PC-GW forwaded the esp packets without decapsulate/decryption and PC1 gets an esp packet.
If both systems use ESP it works fine:
PC1 (192.168.66.1) <-- ESP--> (192.168.88.1) PC2
I have tried several different configuration, this is the commands i use:
ip xfrm state add src 192.168.66.1/32 dst 192.168.88.1/32 proto esp spi 0x01000000 reqid 0x01000000 mode transport aead 'rfc4106(gcm(aes))' 0x000000000000000000000000000000000000000000000000000000000000000000000000 128 sel src 192.168.66.1/32 dst 192.168.88.1/32
ip xfrm state add src 192.168.88.1/32 dst 192.168.66.1/32 proto esp spi 0x01000000 reqid 0x02000000 mode transport aead 'rfc4106(gcm(aes))' 0x000000000000000000000000000000000000000000000000000000000000000000000000 128 sel src 192.168.88.1/32 dst 192.168.66.1/32
ip xfrm policy add src 192.168.66.1/32 dst 192.168.88.1/32 dir out tmpl src 192.168.66.1/32 dst 192.168.88.1/32 proto esp reqid 0x01000000 mode transport
ip xfrm policy add src 192.168.88.1/32 dst 192.168.66.1/32 dir in tmpl src 192.168.88.1/32 dst 192.168.66.1/32 proto esp reqid 0x02000000 mode transport
With help of tcpdump i have captured all interfaces.
I don't use openswap, this test setup is not a real use scenario. This is just to try out and i want to learn how it works.
Solution 1:
That's not how Transport Mode is supposed to be used (i.e. with forwarded traffic and IP addresses that are not local to the system). You might want to to look into BEET mode (never standardized), which is similar to Transport Mode, in that it does not add an additional IP header, but allows replacing the source and destination IP addresses and which the Linux kernel and some IKE daemons support.
Having said that, let me try to explain what you are seeing. The Linux kernel matches forwarded traffic first against fwd policies, but then also against out policies, which is why the outbound traffic is processed by the outbound IPsec SA. However, there is no IPsec SA lookup for the inbound traffic because the destination IP address is not local, i.e. that traffic is forwarded right away for best performance.