Hi Martin, Yes, the IP packets sent out the raw socket have the correct source and destination addresses. Without any other firewall rules, the packets are being transmitted out the Ethernet interface as plain IP (non-ESP) packets, and I can see them using wireshark.
I am generating the packets with SOCK_RAW, and I have set up the raw socket using the following syntax: int fd = socket(PF_INET, SOCK_RAW, IPPROTO_RAW); Yes, when I tried sending a packet over a UDP socket, it was encapsulated as an ESP packet and transmitted, as expected. Hmm, this was my fear that the Linux kernel simply does not route locally generated RAW packets through XFRM. Is there any other way to make a locally-generated IP packet go through XFRM? Thanks, Clifton -----Original Message----- From: Martin Willi [mailto:[email protected]] Sent: Tuesday, June 21, 2011 10:26 AM To: Lin, Clifton (US SSA) Cc: [email protected] Subject: Re: [strongSwan] Problem sending a packet out a raw socket over IPsec > Status of IKEv2 charon daemon (strongSwan 4.5.2dr2): Might be a good idea to update to 4.5.2, the developer releases are not tested very well. > I am trying to send an arbitrary IP packet out a raw socket destined > for the other host, and I would like for this IP packet to traverse the > IPsec connection. Do the IP packets (on the wire) use the correct source and destination addresses (10.41.42.210 === 10.41.42.215)? I'm not sure if the Linux kernel routes locally generated RAW packets through the XFRM subsystem. How do you generate them (SOCK_RAW or AF_PACKET)? Does a packet generated with a UDP socket behave as expected? Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
