blog:linux:nftables_ipsec_packet_flow
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
blog:linux:nftables_ipsec_packet_flow [2022-06-13] – Added link to new routing article Andrej Stender | blog:linux:nftables_ipsec_packet_flow [2022-08-14] (current) – added details about xfrm bundle Andrej Stender | ||
---|---|---|---|
Line 4: | Line 4: | ||
date created = 2020-05-30 | date created = 2020-05-30 | ||
~~ | ~~ | ||
- | |||
- | ~~NOTOC~~ | ||
In this article I like to explain how the packet flow through | In this article I like to explain how the packet flow through | ||
Line 147: | Line 145: | ||
| < | | < | ||
- | It is an instance of two combined structs, the outer '' | + | It is an instance of two combined structs, the outer '' |
- | | < | + | | < |
+ | </ | ||
| < | | < | ||
| < | | < | ||
Line 166: | Line 165: | ||
are optional to use and never became the default. The Strongswan documentation calls VPN setups based on those virtual network interfaces [[https:// | are optional to use and never became the default. The Strongswan documentation calls VPN setups based on those virtual network interfaces [[https:// | ||
+ | <figure xfrm_dst> | ||
+ | {{: | ||
+ | < | ||
+ | (click to enlarge). In IPsec tunnel-mode, | ||
+ | references to IPsec SA and SP and function pointers to lead the packet | ||
+ | on the Xfrm encrypt+encapsulate path. Compare it to a normal | ||
+ | //routing decision// object, which I described in my | ||
+ | [[routing_decisions_in_the_linux_kernel_1_lookup_packet_flow# | ||
+ | </ | ||
+ | </ | ||
===== Example Site-to-site VPN ===== | ===== Example Site-to-site VPN ===== | ||
Line 575: | Line 584: | ||
* [[https:// | * [[https:// | ||
- | //published 2020-05-30//, | + | //published 2020-05-30//, |
blog/linux/nftables_ipsec_packet_flow.1655156837.txt.gz · Last modified: 2022-06-13 by Andrej Stender