Hi, For a particular application, I am working on configuring a Linux host to receive IPSec traffic in transport mode on one interface, decrypt and forward the traffic in the clear on another interface.
I have configured a transport mode ip xfrm policy with dir fwd and corresponding ip xfrm state. However, the IPSec traffic is being dropped with XfrmInTmplMismatch counter incrementing. Upon adding some debug statements and recompiling the kernel, I found that the IPSec transport mode traffic is taking the following path - ip_forward calls __xfrm_policy_check - Here, skb->sp is null, hence a dummy sec_path gets passed to xfrm_policy_ok which returns -1 because the dummy sec_path has length 0. How does one go about configuring IPSec transport mode forwarding? Is this supposed to work? Or does IPSec decryption followed by forwarding only work in tunnel mode? Thanks, Mukesh
