Re: [Ipsec-tools-users] what are fwd policies for?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900


Maximiliano Kolus wrote:
> 
>  First, to make it clear: I had RTFM and i still has this doubt. Im 
> connecting two networks (one of them is a branch office) using 
> racoon/ipsectools and i see that racoon generates "fwd" policies without 
> any user intervention nor request.
> 
>  Im trying to figure out what are those policies for. I saw someone 
> saying it was something like the FORWARD policy on iptables, but i dont 
> see how it makes sense. My current policy on the branch office is:

Maximiliano,

	You'd better ask in linux kernel mailing list WHY linux kernel things 
are done the way they are. Ipsec-tools just tries to use facilites which 
kernel provides. When these facilities mandate something special we try 
our best to map standard to these special requirements.

> 
> spdadd 172.16.10.0/24  172.16.0.0/27  any -P out ipsec esp/tunnel/201.254.100.xxx- 
> 200.51.44.xxx/require;
> spdadd 172.16.0.0/27 172.16.10.0/24 any -P in ipsec esp/tunnel/200.51.44.xxx- 
> 201.254.100.xxx/require;
> 
> It's my understanding that, for example, the first policy says
> "packets from the 172.16.0.0/24 network to the 172.16.0.0/27 network
> are required to go out encrypted using ESP blah blah, yada yada".
> This policy would cover a packet from 172.16.10.92 to 192.168.1.1 .
> So, why would i need a fwd policy? The policy
> should cover both networks, not host->network.
> 
> PS: I've read the "RFC vs Linux kernel semantics"... i understand what 
> it says... but then what is the "in" policy for on linux kernels?
> 

	If you think that these fwd policies are not necessary, go ahead and 
delete them. But, if you use modern kernel, you'll find out, that the 
trafic from 172.16.10.92 to 192.168.1.1 will stop flowing.

	It was long time since I looked to this matter in depth, so may make 
mistakes, but if my memory doesn't fail me, then
	- if there is the in policy for some packet, then that packet must be 
ipsec-processed the way policy requires; otherwise packet will be droped;
	- if packet passed in policy, but has to be forwarded by this host, 
then kernel consults fwd policy; if there is no matching fwd policy, 
packet is droped.

	My advice is give only rfc policies to ipsec-tools, and ignore fwd 
policies when you see them in policy dumps.

	Please note that fwd policies and FORWARD iptables table are two 
completely separate things. Yes, both can be used to limit and/or change 
traffic, both are taken into account, but they are in no way directly 
related (if you change one, other does not change automatically).


-- 
Aidas Kasparas
IT administrator
GM Consult Group, UAB