My setup: SAs: Bj -> A esp A -> Bj esp Bk -> A esp A -> Bk esp SPs: Bj -> A esp/tunnel A -> Bj esp/tunnel Bk -> A esp/tunnel A -> Bk esp/tunnel iproute command: ip r a A src Bk dev eth0 Kernel: 2.6.9 vanilla ipsec-tools: 04.rc1 (Slightly old but the SPs / SAs add correctly) Traffic when running `ping A` on host 'B' Bk -> A ICMP Request !!!This should be an ESP A -> Bk ESP With the special route deleted: Bj -> A ESP w/ Bj -> A ICMP underneath A -> Bj ESP w/ A -> Bj ICMP underneath Summary of important items: ip policy routing used. Packet matching policy not getting encrypted Kernel version 2.6.9 ipsec-tools version 0.4rc1 Using IPsec tunneling I'm more than happy to try suggestions or provide misc details. Cheers, Thomas P.S. All firewalls are turned off during these tests. Traffic is confirmed using a 3rd system to tap. Proper SAs are being used according to SPI numbers. > -----Original Message----- > From: Patrick McHardy [mailto:kaber@xxxxxxxxx] > Sent: Tuesday, February 22, 2005 1:02 PM > To: DuBuisson, Thomas > Cc: 'linux-net@xxxxxxxxxxxxxxx' > Subject: Re: BUG: Unintended (?) XFRM bypass > > > DuBuisson, Thomas wrote: > > Please CC me on all responses. > > The XFRM frame work seems to be bypassed by the use of > advanced routing. > > > > I have ran the following test: > > Network: A <-------> B <---------> C > > where the IP of 'B' on network AB is j (eth0) > > and the IP of 'B' on network BC is k (eth1) > > > > Kernel 2.6.x: Be sure to have: Advanced Routing->Policy > Routing compiled in > > your kernel. > > > > A) Setup IPsec ESP tunnels between computer A and B (both > IP addresses k and > > j) > > B) Send packets to 'A' from 'B' with IP 'k'. > > Do this with: ip route add A src k dev eth0 > > C) Observe that these packets are unencrypted. > > Works correctly here. Which kernel are you using ? Please > post your full > configuration (policies, routes, firewall rules) so we can see whats > different with your setup. > > Regards > Patrick > - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
