I know that IPsec OUT policy is used to determine which egress packets need to be encrypted in "XFRM lookup" box [ http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg ].
But what is the purpose of IPsec IN policy? I verified with ping and tcpdump that packets were still successfully encrypted and decrypted even If I don't have any IPsec IN policies (see below "ip xfrm" commands that I executed on both hosts. Also, I removed strongSwan from the picture here for clarity). SRC=1.1.1.10; # swap SRC with DST on the peer DST=2.1.1.10; KEY1=0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa KEY2=0xbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb ID=0x00000001 ip xfrm state flush; ip xfrm policy flush ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode transport auth sha256 $KEY1 enc aes $KEY2 sel src 0.0.0.0/0 dst 0.0.0.0/0 ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode transport auth sha256 $KEY1 enc aes $KEY2 sel src 0.0.0.0/0 dst 0.0.0.0/0 ip xfrm policy add src $SRC dst $DST dir out tmpl src $SRC dst $DST proto esp reqid $ID mode transport
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
