ip rule and ipsec policy

"Marco Berizzi" <pupilla@xxxxxxxxxxx> · Thu, 10 Jan 2008 17:33:05 +0100

Hello everybody.
AFAIK ipsec policy aren't related to routing
tables: if there is an ipsec policy to deliver
traffic, for example, from 192.168.0.0/16 to
10.0.0.0/8, xfrm will eat the packets ignoring
the routing table.

Take a look:

# ip ru sh
0:      from all lookup local
601:    from 172.23.0.0/23 iif eth2 lookup isa
32766:  from all lookup main
32767:  from all lookup default

# ip r sh table isa
default via 172.23.1.254 dev eth2  metric 1

When I insert the rule number #601 packets from
172.23.0.0/23 to 172.21.1.0/24 are rerouted to
172.23.1.254: xfrm aren't eating them anymore.
Is this the expected behaviour?
Inserting rule number #501 is a workaround.

# ip ru sh
0:      from all lookup local
501:    from 172.23.0.0/23 to 172.16.0.0/12 iif eth2 lookup main
601:    from 172.23.0.0/23 iif eth2 lookup isa
32766:  from all lookup main
32767:  from all lookup default

# ip x p
src 172.21.1.0/24 dst 172.23.0.0/23
        dir in priority 2376 ptype main
        tmpl src osw-napoli dst osw-genova
                proto comp reqid 16390 mode tunnel
                level use
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16389 mode transport
src 172.23.0.0/23 dst 172.21.1.0/24
        dir out priority 2376 ptype main
        tmpl src osw-genova dst osw-napoli
                proto comp reqid 16390 mode tunnel
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16389 mode transport
src 172.21.1.0/24 dst 172.23.0.0/23
        dir fwd priority 2376 ptype main
        tmpl src osw-napoli dst osw-genova
                proto comp reqid 16390 mode tunnel
                level use
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16389 mode transport

Here are the others routing tables:

# ip r sh table main
cisco-genova dev eth0  scope link
dmz-genova/28 dev eth1  proto kernel  scope link  src osw-genova
172.21.1.0/24 via cisco-genova dev eth0
172.23.0.0/23 dev eth2  proto kernel  scope link  src 172.23.1.8
127.0.0.0/8 dev lo  scope link
default via cisco-genova dev eth0  metric 1

# ip r sh table local
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src
127.0.0.1
local 172.23.2.254 dev eth0  proto kernel  scope host  src 172.23.2.254
broadcast dmz-genova dev eth0  proto kernel  scope link  src osw-genova
broadcast dmz-genova dev eth1  proto kernel  scope link  src osw-genova
broadcast broadcast-genova dev eth0  proto kernel  scope link  src
osw-genova
broadcast broadcast-genova dev eth1  proto kernel  scope link  src
osw-genova
local osw-genova dev eth0  proto kernel  scope host  src osw-genova
local osw-genova dev eth1  proto kernel  scope host  src osw-genova
broadcast 172.23.0.0 dev eth2  proto kernel  scope link  src 172.23.1.8
broadcast 172.23.1.255 dev eth2  proto kernel  scope link  src
172.23.1.8
local 172.23.1.8 dev eth2  proto kernel  scope host  src 172.23.1.8
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

ip rule and ipsec policy

Linux Advanced Routing and Traffic Control