Re: IPsec question

Hi Romain,

	I tried this some time ago and it wasn't working for some reason that I can't
remember. I 'll try again and report back...

	Thanks,
	Panos

> -----Original Message-----
> From: Romain KUNTZ [mailto:kuntz@...]
> Sent: 19 December 2011 15:16
> To: Panagiotis Georgopoulos
> Cc: support@...
> Subject: Re: [support] IPsec question
> 
> Hi Georges,
> 
> Have you tried adding an accept policy with a lower priority? I don't remember if
> XFRM would let the packet go in that case or if it drops it whenever a single policy
> does not match.
> 
> romain
> 
> On Dec 19, 2011, at 15:06, Panagiotis Georgopoulos wrote:
> 
> > Hi Romain,
> >
> > 	Thanks for your email and suggestion!
> >
> > 	Indeed I can add such a policy manually, which for a testbed setup will work
> fine!
> > However, I was thinking of a more generic solution as the current
> > suggestion goes against the nature of roaming as I would have to know
> > in advance the prefix of the Access Networks a MR could potentially connect to...
> >
> > 	I am just thinking if there is a way to "bypass" xfrm or at least
> > force it to pass the packet to the umip code even though the packet
> > might not adhere to a certain installed IPsec policy.
> >
> > 	I understand why xfrm's role is as such on linux, but at the same
> > time is a bit restrictive.
> >
> > 	Thanks again,
> > 	Panos
> >
> >
> >> -----Original Message-----
> >> From: Romain KUNTZ [mailto:kuntz@...]
> >> Sent: 19 December 2011 13:52
> >> To: Panagiotis Georgopoulos
> >> Cc: support@...
> >> Subject: Re: [support] IPsec question
> >>
> >> Hi,
> >>
> >> If you know the prefix that is used in the network in which the MR
> >> connects to, you could add an XFRM ACCEPT policy for the incoming
> >> packets which source address uses such prefix.
> >>
> >> Cheers,
> >> Romain
> >>
> >> On Dec 19, 2011, at 14:36, Panagiotis Georgopoulos wrote:
> >>
> >>> Hi all,
> >>>
> >>>                Just a gentle ping. Any ideas, anyone?
> >>>
> >>>                Cheers,
> >>>                Panos
> >>>
> >>>
> >>> From: support-bounces@... [mailto:support-
> >> bounces@...] On Behalf Of Panagiotis Georgopoulos
> >>> Sent: 14 December 2011 00:39
> >>> To: support@...
> >>> Subject: [support] IPsec question
> >>>
> >>> Hello all,
> >>>
> >>>               I 've got a somewhat weird question regarding IPsec.
> >>> Let's suppose
> >> that I want a MR to send a BU ipsec'ed when it has a direct
> >> connection to the Internet, and send it unencrypted (without IPsec) when it is
> behind another MR.
> >>>
> >>> How can I achieve to receive successfully these two BU instances at
> >>> its HA, given
> >> the way xfrm works on linux? If I am right, if I install the security
> >> associations on the HA and prepare it for a BU in transport mode and
> >> it receives an unencrypted, the kernel will swallow the packet and
> >> don't even pass it along to the umip code in user space.
> >>>
> >>> In the MR case I could at least handle the SAD and SPD before the BU
> >>> is sent, but
> >> in the HA case I cannot do that. How could the HA be able to accept
> >> both an unencrypted and encrypted BU from a specific MR ? Any ideas?
> >>>
> >>> Thanks,
> >>> Panos
> >>> _______________________________________________
> >>> Support mailing list
> >>> Support@...
> >>> http://ml.nautilus6.org/mailman/listinfo/support
> >>
> >>
> >
> >
> >
> 
>