blog:linux:nftables_ipsec_packet_flow
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
blog:linux:nftables_ipsec_packet_flow [2021-12-08] – fixed typo, cosmetics Andrej Stender | blog:linux:nftables_ipsec_packet_flow [2022-08-14] (current) – added details about xfrm bundle Andrej Stender | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | {{tag> | + | {{tag> |
====== Nftables - Netfilter and VPN/IPsec packet flow ====== | ====== Nftables - Netfilter and VPN/IPsec packet flow ====== | ||
~~META: | ~~META: | ||
date created = 2020-05-30 | date created = 2020-05-30 | ||
~~ | ~~ | ||
- | |||
- | ~~NOTOC~~ | ||
In this article I like to explain how the packet flow through | In this article I like to explain how the packet flow through | ||
Line 147: | Line 145: | ||
| < | | < | ||
- | It is an instance of two combined structs, the outer '' | + | It is an instance of two combined structs, the outer '' |
- | | < | + | | < |
+ | </ | ||
| < | | < | ||
| < | | < | ||
Line 166: | Line 165: | ||
are optional to use and never became the default. The Strongswan documentation calls VPN setups based on those virtual network interfaces [[https:// | are optional to use and never became the default. The Strongswan documentation calls VPN setups based on those virtual network interfaces [[https:// | ||
+ | <figure xfrm_dst> | ||
+ | {{: | ||
+ | < | ||
+ | (click to enlarge). In IPsec tunnel-mode, | ||
+ | references to IPsec SA and SP and function pointers to lead the packet | ||
+ | on the Xfrm encrypt+encapsulate path. Compare it to a normal | ||
+ | //routing decision// object, which I described in my | ||
+ | [[routing_decisions_in_the_linux_kernel_1_lookup_packet_flow# | ||
+ | </ | ||
+ | </ | ||
===== Example Site-to-site VPN ===== | ===== Example Site-to-site VPN ===== | ||
Line 551: | Line 560: | ||
Several means have been implemented to address those kind of issues: | Several means have been implemented to address those kind of issues: | ||
* Strongswan provides an optional '' | * Strongswan provides an optional '' | ||
- | * Nftables offers IPSEC EXPRESSIONS (syntax '' | + | * Nftables offers IPSEC EXPRESSIONS (syntax '' |
* Nftables offers " | * Nftables offers " | ||
* So-called '' | * So-called '' | ||
- | |||
- | I am planning to describe some of those means in more detail in another article, however I still need to write that one. ;-) I'll place a link here once I find the time to write it. | ||
Line 569: | Line 576: | ||
===== Feedback ===== | ===== Feedback ===== | ||
- | [[: | + | [[: |
===== References ===== | ===== References ===== | ||
Line 577: | Line 584: | ||
* [[https:// | * [[https:// | ||
- | //published 2020-05-30//, | + | //published 2020-05-30//, |
blog/linux/nftables_ipsec_packet_flow.1638998534.txt.gz · Last modified: 2021-12-08 by Andrej Stender