| 12345678910111213141516171819202122 |
- This scenario demonstrates a property of <b>XFRM interfaces</b> that allows
- moving them into network namespaces while retaining access to IPsec SAs and
- policies in the original namespace. This enables an IKE daemon in one namespace
- to provide IPsec tunnels for processes in other namespaces without having to
- give them access to the keys and IKE credentials.
- <p/>
- The gateways use <b>route-based forwarding</b> with <b>XFRM interfaces</b>, with
- firewall rules to allow traffic to pass. The IPsec traffic selector used is
- 0.0.0.0/0, however, specific routing is achieved with routes on the XFRM
- interfaces. The IKE daemon does not install routes for CHILD_SAs with outbound
- interface ID, so static routes are installed for the target subnets.
- <p/>
- The XFRM interface on gateway <b>moon</b> is moved into a new network namespace
- from which a ping is sent to client <b>bob</b>. It is then moved back out and
- <b>alice</b> sends another ping to <b>bob</b> to test if that works too.
- <p/>
- Gateway <b>sun</b> dynamically creates the XFRM interface via updown script
- using the passed unique generated interface ID.
- <p/>
- Note that the dropped packet seen on the <b>XFRM interface</b> on <b>moon</b>
- is an IPv6 Router Solicitation (NDP) sent from that namespace, which doesn't
- match the IPsec policy.
|
