Hi gentlepeople, I hope I can pick your collective brains around an issue which is frustrating me...
First, I have two VMs hosted at a hyperscaler, who does not allow IP Multicast over his L2 "overlay" network connecting these VMs. Furthermore, plain GRE is also disallowed by policy in this environment. But IPsec tunnels work fine - each VM has interfaces "facing" each other over the same IP subnet - however the respective remote MAC is just the same MAC as the default gateway (the L2 overlay is not fully transparent, more alike ProxyARP). Anyway, setting up an IPsec tunnel is easy enough. As is setting up a GRE tunnel (L3 or L2 encapsulation doesn't matter). And I can see that unicast traffic between these tunnel endpoints is (only) IPsec encrypted and responded to (ping works). However, all the GRE encapsulated traffic does get sent out, and is received. But once the IPsec layer has decoded the inner GRE packet, it appears to not get handed off to the ip_gre driver, and is instead just visible (with GRE header) on the destination interface when taking a tcpdump. Conversely, tracing the GRE interface does only show the outbound traffic, but never any inbound traffic... I've seen similar reports around IPsec across two-way NATs (but here the src/dst IP of the endpoint is on the same logical subnet); setting all rp_filters to zero doesn't change anything. At the moment it appears as if the IPsec library, instead of properly handing off the decoded packet to any other higher layer protocol handler, simply dumps the decoded frame to the destination interface. Since I'm not that well versed in troubleshooting the linux packet handlers / traffic control architecture, and help would be highly appreciated! Thanks a lot, Richard _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
