Marco Berizzi
2008-01-10 16:33:05 UTC
Hello everybody.
AFAIK ipsec policy aren't related to routing
tables: if there is an ipsec policy to deliver
traffic, for example, from 192.168.0.0/16 to
10.0.0.0/8, xfrm will eat the packets ignoring
the routing table.
Take a look:
# ip ru sh
0: from all lookup local
601: from 172.23.0.0/23 iif eth2 lookup isa
32766: from all lookup main
32767: from all lookup default
# ip r sh table isa
default via 172.23.1.254 dev eth2 metric 1
When I insert the rule number #601 packets from
172.23.0.0/23 to 172.21.1.0/24 are rerouted to
172.23.1.254: xfrm aren't eating them anymore.
Is this the expected behaviour?
Inserting rule number #501 is a workaround.
# ip ru sh
0: from all lookup local
501: from 172.23.0.0/23 to 172.16.0.0/12 iif eth2 lookup main
601: from 172.23.0.0/23 iif eth2 lookup isa
32766: from all lookup main
32767: from all lookup default
# ip x p
src 172.21.1.0/24 dst 172.23.0.0/23
dir in priority 2376 ptype main
tmpl src osw-napoli dst osw-genova
proto comp reqid 16390 mode tunnel
level use
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16389 mode transport
src 172.23.0.0/23 dst 172.21.1.0/24
dir out priority 2376 ptype main
tmpl src osw-genova dst osw-napoli
proto comp reqid 16390 mode tunnel
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16389 mode transport
src 172.21.1.0/24 dst 172.23.0.0/23
dir fwd priority 2376 ptype main
tmpl src osw-napoli dst osw-genova
proto comp reqid 16390 mode tunnel
level use
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16389 mode transport
Here are the others routing tables:
# ip r sh table main
cisco-genova dev eth0 scope link
dmz-genova/28 dev eth1 proto kernel scope link src osw-genova
172.21.1.0/24 via cisco-genova dev eth0
172.23.0.0/23 dev eth2 proto kernel scope link src 172.23.1.8
127.0.0.0/8 dev lo scope link
default via cisco-genova dev eth0 metric 1
# ip r sh table local
broadcast 127.255.255.255 dev lo proto kernel scope link src
127.0.0.1
local 172.23.2.254 dev eth0 proto kernel scope host src 172.23.2.254
broadcast dmz-genova dev eth0 proto kernel scope link src osw-genova
broadcast dmz-genova dev eth1 proto kernel scope link src osw-genova
broadcast broadcast-genova dev eth0 proto kernel scope link src
osw-genova
broadcast broadcast-genova dev eth1 proto kernel scope link src
osw-genova
local osw-genova dev eth0 proto kernel scope host src osw-genova
local osw-genova dev eth1 proto kernel scope host src osw-genova
broadcast 172.23.0.0 dev eth2 proto kernel scope link src 172.23.1.8
broadcast 172.23.1.255 dev eth2 proto kernel scope link src
172.23.1.8
local 172.23.1.8 dev eth2 proto kernel scope host src 172.23.1.8
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
AFAIK ipsec policy aren't related to routing
tables: if there is an ipsec policy to deliver
traffic, for example, from 192.168.0.0/16 to
10.0.0.0/8, xfrm will eat the packets ignoring
the routing table.
Take a look:
# ip ru sh
0: from all lookup local
601: from 172.23.0.0/23 iif eth2 lookup isa
32766: from all lookup main
32767: from all lookup default
# ip r sh table isa
default via 172.23.1.254 dev eth2 metric 1
When I insert the rule number #601 packets from
172.23.0.0/23 to 172.21.1.0/24 are rerouted to
172.23.1.254: xfrm aren't eating them anymore.
Is this the expected behaviour?
Inserting rule number #501 is a workaround.
# ip ru sh
0: from all lookup local
501: from 172.23.0.0/23 to 172.16.0.0/12 iif eth2 lookup main
601: from 172.23.0.0/23 iif eth2 lookup isa
32766: from all lookup main
32767: from all lookup default
# ip x p
src 172.21.1.0/24 dst 172.23.0.0/23
dir in priority 2376 ptype main
tmpl src osw-napoli dst osw-genova
proto comp reqid 16390 mode tunnel
level use
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16389 mode transport
src 172.23.0.0/23 dst 172.21.1.0/24
dir out priority 2376 ptype main
tmpl src osw-genova dst osw-napoli
proto comp reqid 16390 mode tunnel
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16389 mode transport
src 172.21.1.0/24 dst 172.23.0.0/23
dir fwd priority 2376 ptype main
tmpl src osw-napoli dst osw-genova
proto comp reqid 16390 mode tunnel
level use
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16389 mode transport
Here are the others routing tables:
# ip r sh table main
cisco-genova dev eth0 scope link
dmz-genova/28 dev eth1 proto kernel scope link src osw-genova
172.21.1.0/24 via cisco-genova dev eth0
172.23.0.0/23 dev eth2 proto kernel scope link src 172.23.1.8
127.0.0.0/8 dev lo scope link
default via cisco-genova dev eth0 metric 1
# ip r sh table local
broadcast 127.255.255.255 dev lo proto kernel scope link src
127.0.0.1
local 172.23.2.254 dev eth0 proto kernel scope host src 172.23.2.254
broadcast dmz-genova dev eth0 proto kernel scope link src osw-genova
broadcast dmz-genova dev eth1 proto kernel scope link src osw-genova
broadcast broadcast-genova dev eth0 proto kernel scope link src
osw-genova
broadcast broadcast-genova dev eth1 proto kernel scope link src
osw-genova
local osw-genova dev eth0 proto kernel scope host src osw-genova
local osw-genova dev eth1 proto kernel scope host src osw-genova
broadcast 172.23.0.0 dev eth2 proto kernel scope link src 172.23.1.8
broadcast 172.23.1.255 dev eth2 proto kernel scope link src
172.23.1.8
local 172.23.1.8 dev eth2 proto kernel scope host src 172.23.1.8
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1