On 18.10.2016 21:43, Brian O'Connor wrote: > I think I have the decryption process clear but was not clear on the iptables > processing for > encrypted packets. From what you said, it looks like the NAT-T header is > added after the > iptables processing of an outbound encrypted packet, on the second pass by the > outbound XFRM lookup. Is my understanding correct?
ESP encapsulation and NAT-T are applied in a single step when the packet is processed in xfrm encode. Generally, a packet that is sent *from a local process* and is to be protected with IPsec makes two passes through the OUTPUT PATH part of the graphic: 1) When it is sent by the process and passed through the chains and other parts of Netfilter in the path, until it is catched by xfrm lookup and is fed into xfrm encode. 2) When it is passed from xfrm encode into *raw OUTPUT. When that happens, the original packet that was sent by the kernel is transformed by xfrm into an ESP or NAT-T packet (That is simply ESP in a UDP shell. Nothing fancy about that.) It then traverses through the Netfilter chains as an ESP or UDP packet through the chains and other parts of Netfilter until it reaches egress (qdisc). -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Description: OpenPGP digital signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users