Hello, My question is about the Netkey Hooks in Linux Netfilter (http://strongswan.org/docs/LinuxKongress2009-strongswan.pdf, ppt 37). I want to understand the data path. Here is my understanding :
[cid:[email protected]] 1 - The host receives an ESP packet that is intended to it on its interface. 2 - The input chain accepts this ESP packet that comes into the network layer. 3 - The ESP packet is decapsulated according the appropriate SA. I have no idea about state in/out meaning. I think that policy in/out/forward refer to the policy module, doesn't it ? 4 - The decapsulated packet appears again on the same interface. In fact when a host receives ESP packets, we noticed that a tcpdump capture shows both ESP encapsulated and original packets. This is a particularity of the Netkey stack. 5 - The packet can pass through the input chain only if it meets the properties claimed by the policy module, e.g. pkts bytes target prot opt in out source destination 1 148 ACCEPT all -- eth0 * 10.1.0.0/16 192.168.0.100 policy match dir in pol ipsec reqid 1 proto 50 in that example, all trafic from subnet 10.1.0.0/16 is accepted only if it previously used the appropriate IPSec policy. Please help me and tell me if I am wrong. Regards, Stéphanie
<<inline: image001.jpg>>
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
