blog:linux:nftables_ipsec_packet_flow
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
blog:linux:nftables_ipsec_packet_flow [2021-12-05] – xfrm in much more detail (major refactor) Andrej Stender | blog:linux:nftables_ipsec_packet_flow [2022-08-14] (current) – added details about xfrm bundle Andrej Stender | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | {{tag> | + | {{tag> |
====== Nftables - Netfilter and VPN/IPsec packet flow ====== | ====== Nftables - Netfilter and VPN/IPsec packet flow ====== | ||
~~META: | ~~META: | ||
date created = 2020-05-30 | date created = 2020-05-30 | ||
~~ | ~~ | ||
- | |||
- | ~~NOTOC~~ | ||
In this article I like to explain how the packet flow through | In this article I like to explain how the packet flow through | ||
Line 143: | Line 141: | ||
<figure nfhooksxfrm1> | <figure nfhooksxfrm1> | ||
{{: | {{: | ||
- | < | + | < |
</ | </ | ||
| < | | < | ||
- | It is an instance of two combined structs, the outer '' | + | It is an instance of two combined structs, the outer '' |
- | | < | + | | < |
+ | </ | ||
| < | | < | ||
| < | | < | ||
Line 166: | Line 165: | ||
are optional to use and never became the default. The Strongswan documentation calls VPN setups based on those virtual network interfaces [[https:// | are optional to use and never became the default. The Strongswan documentation calls VPN setups based on those virtual network interfaces [[https:// | ||
+ | <figure xfrm_dst> | ||
+ | {{: | ||
+ | < | ||
+ | (click to enlarge). In IPsec tunnel-mode, | ||
+ | references to IPsec SA and SP and function pointers to lead the packet | ||
+ | on the Xfrm encrypt+encapsulate path. Compare it to a normal | ||
+ | //routing decision// object, which I described in my | ||
+ | [[routing_decisions_in_the_linux_kernel_1_lookup_packet_flow# | ||
+ | </ | ||
+ | </ | ||
===== Example Site-to-site VPN ===== | ===== Example Site-to-site VPN ===== | ||
Line 350: | Line 359: | ||
<figure echo_request_r1_traversal> | <figure echo_request_r1_traversal> | ||
{{: | {{: | ||
- | < | + | < |
</ | </ | ||
Line 422: | Line 431: | ||
<figure echo_reply_r1_traversal> | <figure echo_reply_r1_traversal> | ||
{{: | {{: | ||
- | < | + | < |
</ | </ | ||
Line 516: | Line 525: | ||
However, let's take another look at the example from Figure {{ref> | However, let's take another look at the example from Figure {{ref> | ||
- | Resulting from that, this packet now does not match the IPsec //output policy// anymore. Thus, it won't get encrypted+encapsulated! Obviously that is not our intended behavior, but let's first dig deeper to understand what actually happens here: In step (8) this packet still had its original source and destination IP addresses '' | + | Resulting from that, this packet now does not match the IPsec //output policy// anymore. Thus, it won't get encrypted+encapsulated! Obviously that is not our intended behavior, but let's first dig deeper to understand what actually happens here: In step (8) this packet still had its original source and destination IP addresses '' |
Ok, now we understand it ... the ping is natted, but then sent out plain and unencrypted. That is not what we want. Further, this ping is now anyway doomed to fail, because '' | Ok, now we understand it ... the ping is natted, but then sent out plain and unencrypted. That is not what we want. Further, this ping is now anyway doomed to fail, because '' | ||
Line 551: | Line 560: | ||
Several means have been implemented to address those kind of issues: | Several means have been implemented to address those kind of issues: | ||
* Strongswan provides an optional '' | * Strongswan provides an optional '' | ||
- | * Nftables offers IPSEC EXPRESSIONS (syntax '' | + | * Nftables offers IPSEC EXPRESSIONS (syntax '' |
* Nftables offers " | * Nftables offers " | ||
* So-called '' | * So-called '' | ||
- | |||
- | I am planning to describe some of those means in more detail in another article, however I still need to write that one. ;-) I'll place a link here once I find the time to write it. | ||
Line 569: | Line 576: | ||
===== Feedback ===== | ===== Feedback ===== | ||
- | [[: | + | [[: |
===== References ===== | ===== References ===== | ||
Line 577: | Line 584: | ||
* [[https:// | * [[https:// | ||
- | //published 2020-05-30//, | + | //published 2020-05-30//, |
blog/linux/nftables_ipsec_packet_flow.1638724542.txt.gz · Last modified: 2021-12-05 by Andrej Stender