xfrm state encap espinudp: caputure espinudp package but xfrm not work

Question

I try to setup ipsec nat-t by hand topology like that

----------------------------------------------(Pub net)
  |                               +-|---------------------+
  |                               |eth0 192.168.100.123/24| (iptables -A POSTROUTING -s
  |                               |          R2           | 10.10.0.0/16 -j SNAT
+-|-------------------+           |br0      10.10.0.254/16| --to-source 192.168.100.123)
|eth0 192.168.100.2/24|--IPSec    +-|---------------------+
|        R1           |  SA---|     | (default via 10.10.0.254)
|br0  172.16.10.254/24|       |   +-|---------------------+
+-|-------------------+       |---|e1 10.10.0.1/16   (vm1)|
(net 172.16.10.0/24)===IPSec Tun==+-----------------------+

# R1 R2 owned a pub ip under 192.168.100.0/24
# R1 connect to net 172.16.10.0/24，R2 connect to net10.10.0.0/16
# this is a vm1 under R2 with ip 10.10.0.1/16
# vm1 try to connect to nat 172.16.10.0/24 in ipsec nat-t

I use a script to keep nat alive, and this is ct info

root@i-q6fcsdt9:~# conntrack -L | grep udp | grep 10.10.0.1
conntrack v1.4.6 (conntrack-tools): 3 flow entries have been shown.
udp      17 26 src=10.10.0.1 dst=192.168.100.2 sport=4500 dport=4500 src=192.168.100.2 dst=192.168.100.123 sport=4500 dport=18984 mark=0 use=1

and xfrm state and policy of R1

[root@i-pi6sxtgz ~]# ip x s
src 192.168.100.123 dst 192.168.100.2
        proto esp spi 0x529561e0 reqid 40820 mode tunnel
        replay-window 0 flag af-unspec
        auth-trunc hmac(sha256) 0x9ae03071952c554f39767a1b958eeb53 96
        enc cbc(aes) 0xc3c404f5719867fc70d4034dbdec24bf
        encap type espinudp sport 18984 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 192.168.100.2 dst 192.168.100.123
        proto esp spi 0x8f0e56d9 reqid 39005 mode tunnel
        replay-window 0 flag af-unspec
        auth-trunc hmac(sha256) 0x9da46b46ed7c637863662adf2aa5bafc 96
        enc cbc(aes) 0x64f7f3366bb6d38c268dae7aef579e9b
        encap type espinudp sport 4500 dport 18984 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
[root@i-pi6sxtgz ~]# ip x p
src 10.10.0.0/16 dst 172.16.10.0/24
        dir fwd priority 0 ptype main
        tmpl src 192.168.100.123 dst 192.168.100.2
                proto esp reqid 40820 mode tunnel
src 10.10.0.0/16 dst 172.16.10.0/24
        dir in priority 0 ptype main
        tmpl src 192.168.100.123 dst 192.168.100.2
                proto esp reqid 40820 mode tunnel
src 172.16.10.0/24 dst 10.10.0.0/16
        dir out priority 0 ptype main
        tmpl src 192.168.100.2 dst 192.168.100.123
                proto esp reqid 39005 mode tunnel

xfrm state and policy of vm1

root@i-q6fcsdt9:~# ip x s
src 192.168.100.2 dst 10.10.0.1
        proto esp spi 0x8f0e56d9 reqid 39005 mode tunnel
        replay-window 0 flag af-unspec
        auth-trunc hmac(sha256) 0x9da46b46ed7c637863662adf2aa5bafc 96
        enc cbc(aes) 0x64f7f3366bb6d38c268dae7aef579e9b
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.10.0.1 dst 192.168.100.2
        proto esp spi 0x529561e0 reqid 40820 mode tunnel
        replay-window 0 flag af-unspec
        auth-trunc hmac(sha256) 0x9ae03071952c554f39767a1b958eeb53 96
        enc cbc(aes) 0xc3c404f5719867fc70d4034dbdec24bf
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
root@i-q6fcsdt9:~# ip x p
src 172.16.10.0/24 dst 10.10.0.0/16
        dir fwd priority 0
        tmpl src 192.168.100.2 dst 10.10.0.1
                proto esp reqid 39005 mode tunnel
src 172.16.10.0/24 dst 10.10.0.0/16
        dir in priority 0
        tmpl src 192.168.100.2 dst 10.10.0.1
                proto esp reqid 39005 mode tunnel
src 10.10.0.0/16 dst 172.16.10.0/24
        dir out priority 0
        tmpl src 10.10.0.1 dst 192.168.100.2
                proto esp reqid 40820 mode tunnel

now i try to ping 172.16.10.1 inside vm1, i can monitor xfrm in vm1

root@i-q6fcsdt9:~# ip x monitor
Async event  (0x10)  replay update
        src 10.10.0.1 dst 192.168.100.2  reqid 0x9f74 protocol esp  SPI 0x529561e0

i capture espinudp package on R1, but monitor xfrm this nothing output

tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:40:06.078445 52:54:96:c6:c0:9f > 52:54:96:47:db:c1, ethertype IPv4 (0x0800), length 174: (tos 0x0, ttl 63, id 18250, offset 0, flags [DF], proto UDP (17), length 160)
    192.168.100.123.18984 > 192.168.100.2.4500: UDP-encap: ESP(spi=0x529561e0,seq=0x85), length 132

[root@i-pi6sxtgz ~]# ip x monitor
^C
[root@i-pi6sxtgz ~]#

what's going on when espinudp package reach R1

And my keepalived script on R1 will bind udp 0.0.0.0:4500 I'm not sure whether it will cause xfrm state not work

[root@i-pi6sxtgz ~]# ss -anpu | grep 4500
UNCONN 213760 0                 0.0.0.0:4500       0.0.0.0:*    users:(("python3",pid=39241,fd=3))

xfrm state encap espinudp: caputure espinudp package but xfrm not work

0 Answers0