[Swan] ?==?utf-8?q? No ipsec0 device with XFRMi

Wolfgang Nothdurft wolfgang at linogate.de
Thu Jul 30 06:42:57 UTC 2020

Am Donnerstag, 30. Juli 2020 07:57 CEST, schrieb Antony Antony <antony at phenome.org>: 
> On Wed, Jul 29, 2020 at 11:32:58AM +0200, Wolfgang Nothdurft wrote:
> > Am Dienstag, 28. Juli 2020 20:25 CEST, schrieb Antony Antony <antony at phenome.org>:
> > 
> > > ipsec-interface=0 would translate to
> > >
> > > ip link add ipsec0 type xfrm dev enp0s5 if_id 0
> > >
> > > when I started adding xfrmi I wasn't sure xfrm if_id 0 would work properly.
> > > if_id is a lookup key to find policy and state. I wonder if 0 would mean
> > > also a policy with no xfrmi if_id.
> > >
> > > xfrm if_id 0 was confusing to me. I decided ipsec1 to start with. May be
> > > time to review it while xfrmi is still expirimental.
> > >
> > > and also to avoid confusion from klips.
> > 
> > 
> >  I think the problem with if_id 0 could be the fwmark that is used to route the encrypted packets on the base interface.
> > 
> >  100:    from all to fwmark 0x1 lookup 50
> > 
> > With fwmark 0x0 all unmarked traffic to the destination would go through the base interface instead of the ipsec interface.
> > 
> > But ipsec-interface=0 for ipsec0 would be very useful. All our customers use ipsec0 for the first ipsec device, so the change from klips to xfrmi would either confusing for them or a technical problem that we have to solve.
> > 
> > At the moment I test patching libreswan to map if_id to device name if_id-1, which works properly. 
> are you proposing to keep name ipsec0 (the interface name), while internally 
> f_id = 0x1 and fwmark would be 0x1 (by default)?  I had one version of the 
> code which did this. UINT32_MAX meant no xfrmi inside pluto. It appeared 
> complicated and I dicthed it.  At this stage it is probably easy to go back 
> to ipsec0.  Currently ipsec-interface=X is the if_id and the mark.

Yes, at the moment I use the attached patch to lower the interface number by one, so the ipsec interfaces starts with ipsec0.

> > But the next problem is that we use the lower 24 bit fwmarks for our 
> > firewall rule set. The upper 8 bit was reserved for ipsec (saref) long 
> > time ago. So the next problem is that actual the fwmark is not 
> > configurable and I have also to patch either libreswan or overwork our 
> > complete rule set to reserve the lower bits for ipsec devices.
> > Maybe a configurable minimal fwmark could be a nice feature.
> the output mark on the ESP packet is not configurable yet. One confusion was 
> keywords for the new output mark. Note the conflict with mark-out; used by 
> VTI?. The VTI mark-out is a different XFRM attribute than the one needed to 
> work with xfrmi. May be I can have different meaning for
> mark-out when there is xfrm interface.
> or add ipsec-interface-output-mark= as the third mark? because
> XFRM has now 3 marks. AFIK mark-out was never used in VTI case.
> I don't want to break VTI usecases.

> Can you can help create a testcase with fwmark and xfrmi?  you are using 
> marks with KLIPS? so it is not really configured in ipsec.conf? I wonder how 
> that would translate one-to-one.
We don't use marks specifically for klips, but for our whole netfilter/ebtables rule set and for policy based routing.
We mark/connmark to identify special protocols, incoming interfaces, etc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: libreswan-xfrmi-ipsec0.patch
Type: text/x-patch
Size: 1436 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200730/292b7b40/attachment.bin>

More information about the Swan mailing list