key words
Dir in, out, fwd difference
| security policy | syntax | meaning |
|---|
| output policy | dir out | SP works as a selector on outgoing packets to select which are to be encrypted+encapsulated and which not |
| input policy | dir in | SP works as a selector on incoming packets which already have been decrypted+decapsulated and have a destination IP local on the system |
| forward policy | dir fwd | SP works as a selector on incoming packets which already have been decrypted+decapsulated and have a destination IP which is not local, thereby packets which are to be forwarded (routed) |
So:
out is used on outgoing traffic (both local and forwarded) that we want to encrypt+encapsulate with IPsec.in and fwd are used on incoming IPsec traffic and are applied to packets encapsulated within IPsec:in is applied to inner packets whose destination IP is this computerfwd is applied to inner packets which should be forwarded further
Reference:
https://serverfault.com/a/1048382
https://thermalcircle.de/doku.php?id=blog:linux:nftables_ipsec_packet_flow#the_xfrm_framework
https://backreference.org/2014/11/12/on-the-fly-ipsec-vpn-with-iproute2/
End to End setup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| #!/bin/bash
# set -x
# Test End to End setup
# ns1 --|-- ns2
# 1.1 1.2
# clean env
nets="ns1 ns2"
for net in $nets; do
ip netns del $net
done
modprobe -r veth
# setup topo
for net in $nets; do
ip netns add $net
done
ip -n ns1 link add veth0 type veth peer netns ns2 name veth0
for n in $(seq 2); do
ip -n ns$n link set veth0 up
ip -n ns$n addr add 192.168.1.${n}/24 dev veth0
ip -n ns$n addr add 2000::${n}/64 dev veth0
done
# setup ipsec
ns1_addr="192.168.1.1"
ns2_addr="192.168.1.2"
ip -n ns1 xfrm state add src ${ns1_addr} dst ${ns2_addr} spi 1000 proto ah auth sha1 beef_fish_pork_salad mode transport
ip -n ns1 xfrm state add src ${ns2_addr} dst ${ns1_addr} spi 1000 proto ah auth sha1 beef_fish_pork_salad mode transport
ip -n ns1 xfrm policy add src ${ns1_addr} dst ${ns2_addr} dir out tmpl src ${ns1_addr} dst ${ns2_addr} proto ah spi 1000 mode transport
ip -n ns1 xfrm policy add src ${ns2_addr} dst ${ns1_addr} dir in tmpl src ${ns2_addr} dst ${ns1_addr} proto ah spi 1000 mode transport level use
ip -n ns2 xfrm state add src ${ns1_addr} dst ${ns2_addr} spi 1000 proto ah auth sha1 beef_fish_pork_salad mode transport
ip -n ns2 xfrm state add src ${ns2_addr} dst ${ns1_addr} spi 1000 proto ah auth sha1 beef_fish_pork_salad mode transport
ip -n ns2 xfrm policy add src ${ns2_addr} dst ${ns1_addr} dir out tmpl src ${ns2_addr} dst ${ns1_addr} proto ah spi 1000 mode transport
ip -n ns2 xfrm policy add src ${ns1_addr} dst ${ns2_addr} dir in tmpl src ${ns1_addr} dst ${ns2_addr} proto ah spi 1000 mode transport level use
ip netns exec ns1 ping ${ns2_addr} -c 2
|
End to End tunnel mode
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| #!/bin/bash
set -x
# Test topo with one network
# ns1 --|-- ns2
# 1.1 1.2
# 0.1 0.2
# clean env
nets="ns1 ns2"
for net in $nets; do
ip netns del $net
done
modprobe -r veth
# start setup
for net in $nets; do
ip netns add $net
done
ip -n ns1 link add veth0 type veth peer netns ns2 name veth0
for n in `seq 2`; do
ip -n ns$n link set veth0 up
ip -n ns$n addr add 192.168.1.${n}/24 dev veth0
ip -n ns$n addr add 2000::${n}/64 dev veth0
ip -n ns$n link add dummy0 type dummy
ip -n ns$n link set dummy0 up
ip -n ns$n addr add 10.0.0.${n}/24 dev dummy0
done
ns1_v="192.168.1.1"
ns2_v="192.168.1.2"
ns1_d="10.0.0.1"
ns2_d="10.0.0.2"
ip -n ns1 xfrm state add src ${ns1_v} dst ${ns2_v} spi 1000 proto ah auth sha1 beef_fish_pork_salad mode tunnel
ip -n ns1 xfrm state add src ${ns2_v} dst ${ns1_v} spi 1000 proto ah auth sha1 beef_fish_pork_salad mode tunnel
ip -n ns1 xfrm policy add src ${ns1_d} dst ${ns2_d} dir out tmpl src ${ns1_v} dst ${ns2_v} proto ah spi 1000 mode tunnel
ip -n ns1 xfrm policy add src ${ns2_d} dst ${ns1_d} dir in tmpl src ${ns2_v} dst ${ns1_v} proto ah spi 1000 mode tunnel level use
#ip -n ns1 xfrm policy add src ${ns2_d} dst ${ns1_d} dir in action block
#ip netns exec ns1 sysctl -w net.ipv4.conf.veth0.disable_policy=1
ip -n ns2 xfrm state add src ${ns1_v} dst ${ns2_v} spi 1000 proto ah auth sha1 beef_fish_pork_salad mode tunnel
ip -n ns2 xfrm state add src ${ns2_v} dst ${ns1_v} spi 1000 proto ah auth sha1 beef_fish_pork_salad mode tunnel
ip -n ns2 xfrm policy add src ${ns2_d} dst ${ns1_d} dir out tmpl src ${ns2_v} dst ${ns1_v} proto ah spi 1000 mode tunnel
ip -n ns2 xfrm policy add src ${ns1_d} dst ${ns2_d} dir in tmpl src ${ns1_v} dst ${ns2_v} proto ah spi 1000 mode tunnel level use
ip netns exec ns1 ping ${ns2_d} -c 2 -W 1
|
Net to Net setup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
| #!/bin/bash
# set -x
# ns1 -- | -- rt1 -- | -- rt2 -- | -- ns2
# 1.1 --- 1.254 --- 100.1 --- 100.2 --- 2.254 --- 2.1
ns_addr[1]="192.168.1.1"
ns_addr[2]="192.168.2.1"
ns_net[1]="192.168.1.0"
ns_net[2]="192.168.2.0"
ns_gw[1]="192.168.1.254"
ns_gw[2]="192.168.2.254"
rt_addr[1]="10.0.100.1"
rt_addr[2]="10.0.100.2"
ip -a netns del
for i in $(seq 2); do
ip netns add ns${i}
ip netns add rt${i}
ip link add veth0 netns ns${i} type veth peer name veth0 netns rt${i}
done
ip link add veth1 netns rt1 type veth peer name veth1 netns rt2
for i in $(seq 2); do
ip -n ns${i} link set veth0 up
ip -n ns${i} addr add ${ns_addr[$i]}/24 dev veth0
ip -n ns${i} route add default via ${ns_gw[$i]} dev veth0
ip -n rt${i} link set veth0 up
ip -n rt${i} addr add ${ns_gw[$i]}/24 dev veth0
ip -n rt${i} link set veth1 up
ip -n rt${i} addr add ${rt_addr[$i]}/24 dev veth1
ip netns exec rt${i} sysctl -w net.ipv4.ip_forward=1
done
ip -n rt1 route add ${ns_net[2]}/24 via ${rt_addr[2]} dev veth1
ip -n rt2 route add ${ns_net[1]}/24 via ${rt_addr[1]} dev veth1
ip netns exec ns1 ping ${ns_addr[2]} -c 2
# Add Net to Net tunnel mode
proto=esp
mode=tunnel
spi_1=0x1000
spi_2=0x2000
src=${rt_addr[1]}
dst=${rt_addr[2]}
src_net="${ns_net[1]}/24"
dst_net="${ns_net[2]}/24"
ip -n rt1 xfrm state add src $src dst $dst spi $spi_1 proto $proto enc des3_ede _I_want_to_have_chicken_ auth sha1 beef_fish_pork_salad mode $mode
ip -n rt1 xfrm state add src $dst dst $src spi $spi_2 proto $proto enc des3_ede _I_want_to_have_chicken_ auth sha1 beef_fish_pork_salad mode $mode
ip -n rt1 xfrm policy add src $src_net dst $dst_net dir out tmpl src $src dst $dst proto $proto spi $spi_1 mode $mode
ip -n rt1 xfrm policy add src $dst_net dst $src_net dir fwd tmpl src $dst dst $src proto $proto spi $spi_2 mode $mode
src=${rt_addr[2]}
dst=${rt_addr[1]}
src_net="${ns_net[2]}/24"
dst_net="${ns_net[1]}/24"
ip -n rt2 xfrm state add src $src dst $dst spi $spi_2 proto $proto enc des3_ede _I_want_to_have_chicken_ auth sha1 beef_fish_pork_salad mode $mode
ip -n rt2 xfrm state add src $dst dst $src spi $spi_1 proto $proto enc des3_ede _I_want_to_have_chicken_ auth sha1 beef_fish_pork_salad mode $mode
ip -n rt2 xfrm policy add src $src_net dst $dst_net dir out tmpl src $src dst $dst proto $proto spi $spi_2 mode $mode
ip -n rt2 xfrm policy add src $dst_net dst $src_net dir fwd tmpl src $dst dst $src proto $proto spi $spi_1 mode $mode
ip netns exec ns1 ping ${ns_addr[2]} -c 2
|
Author
Hangbin Liu
LastMod
2022-07-29
(acc8f61)