Re: IPsec question

Hi,

If you know the prefix that is used in the network in which the MR connects to, you could add an XFRM ACCEPT
policy for the incoming packets which source address uses such prefix. 

Cheers,
Romain

On Dec 19, 2011, at 14:36, Panagiotis Georgopoulos wrote:

> Hi all,
>  
>                 Just a gentle ping… Any ideas, anyone?
>  
>                 Cheers,
>                 Panos
>  
>  
> From: support-bounces@...
[mailto:support-bounces <at> jules.nautilus6.org] On Behalf Of Panagiotis Georgopoulos
> Sent: 14 December 2011 00:39
> To: support@...
> Subject: [support] IPsec question
>  
> Hello all,
>  
>                I ‘ve got a somewhat weird question regarding IPsec. Let’s suppose that I want a MR to send a BU
ipsec’ed when it has a direct connection to the Internet, and send it unencrypted (without IPsec) when
it is behind another MR.
>  
> How can I achieve to receive successfully these two BU instances at its HA, given the way xfrm works on
linux? If I am right, if I install the security associations on the HA and prepare it for a BU in transport
mode and it receives an unencrypted, the kernel will swallow the packet and don’t even pass it along to
the umip code in user space.
>  
> In the MR case I could at least handle the SAD and SPD before the BU is sent, but in the HA case I cannot do that.
How could the HA be able to accept both an unencrypted and encrypted BU from a specific MR ? Any ideas?
>  
> Thanks,
> Panos
> _______________________________________________
> Support mailing list
> Support@...
> http://ml.nautilus6.org/mailman/listinfo/support