Why are only 3 ip xfrm policies needed for a IPsec tunnel?

ip ipsec

Solution 1:

The fwd policies are not automatically generated by the kernel but instead get installed by the keying daemon (strongSwan in this case).

They are required to allow traffic to get forwarded to and from hosts behind the VPN gateway in tunnel mode.

For an inbound packet that is addresses to an IP that's not installed on the gateway itself a fwd policy is searched after decryption. For local traffic a matching in policy is looked up. If none is found the packet is dropped.

For outbound traffic that was not generated on the VPN gateway itself a fwd policy is searched. If the packet was not encrypted it is no failure if no matching fwd policy is found. And if traffic is forwarded between two tunnels the inbound fwd policy installed with one will act as outbound fwd policy for the other and vice-versa. Afterwards, an out policy is looked up to decide whether to tunnel the packet. That's why a fwd policy in the outbound direction is often not required.

However, if there is e.g. a drop/block fwd policy with low priority that matches everything (e.g. to avoid cleartext traffic from passing the gateway if there are no tunnels established) a fwd policy in the outbound direction is explicitly required as the block policy will otherwise drop all unencrypted traffic. That's why strongSwan started installing fwd policies in both directions with 5.5.0.

A previous version of this answer stated that the single (inbound) fwd policy is symmetrical (i.e. that src and dst work in either direction). That's not true, but as explained above in many situations this doesn't matter.

Solution 2:

From this article by Andrej Stender:

security policy syntax meaning
“output policy” dir out SP works as a selector on outgoing packets to select which are to be encrypted+encapsulated and which not
“input policy” dir in SP works as a selector on incoming packets which already have been decrypted+decapsulated and have a destination IP local on the system
“forward policy” dir fwd SP works as a selector on incoming packets which already have been decrypted+decapsulated and have a destination IP which is not local, thereby packets which are to be forwarded (routed)

So:

  • out is used on outgoing traffic (both local and forwarded) that we want to encrypt+encapsulate with IPsec.
  • in and fwd are used on incoming IPsec traffic and are applied to packets encapsulated within IPsec:
    • in is applied to inner packets whose destination IP is this computer
    • fwd is applied to inner packets which should be forwarded further

EDIT: I conducted my own local experiments with ip xfrm on Linux 5.9.1 and results matched Andrej's table.

Solution 3:

This seems to confirm that there is actually no forward policy needed on site A's router to forward 10.10.0.0/16 to 10.50.0.0/16 over the IPsec tunnel, but I do not understand why.

That is because A wants to receive from B only IPsec traffic.

IPsec traffic from A to B has A's IP address as a destination IP address - so it is handled by dir in policy on A.
After encapsulated IP packets are extracted from IPsec, they are handed over to kernel to get standard linux processing of an incoming IP packet - no xfrm policy dir fwd is required here.

Policy src 10.10.0.0/16 dst 10.50.0.0/16 dir fwd ... on A could be added if you need to also receive non-IPsec traffic from B .

Related

How do you prevent wuauserv (Windows Update Service) from restarting?
How can I enable both password and public key authentication with OpenSSH
High server availabilty for a small business
postgresql log queries single database
Professional Groups and Associations [closed]
Strongswan VPN tunnel between two AWS instances won't connect
Nginx removes Content-Length header for chunked content
Simple Backup Strategy for Amazon EC2 instances / volumes?
Setting a time limit for a transaction in MySQL/InnoDB
How to write runit custom stop script
Is it possible to use bittorrent for a fileserver [closed]
Is it possible to restore disk image to a different size hard disk