Annotation of embedaddon/strongswan/testing/tests/route-based/net2net-xfrmi-netns/description.txt, revision 1.1
1.1 ! misho 1: This scenario demonstrates a property of <b>XFRM interfaces</b> that allows
! 2: moving them into network namespaces while retaining access to IPsec SAs and
! 3: policies in the original namespace. This enables an IKE daemon in one namespace
! 4: to provide IPsec tunnels for processes in other namespaces without having to
! 5: give them access to the keys and IKE credentials.
! 6: <p/>
! 7: The gateways use <b>route-based forwarding</b> with <b>XFRM interfaces</b>, with
! 8: firewall rules to allow traffic to pass. The IPsec traffic selector used is
! 9: 0.0.0.0/0, however, specific routing is achieved with routes on the XFRM
! 10: interfaces. The IKE daemon does not install routes for CHILD_SAs with outbound
! 11: interface ID, so static routes are installed for the target subnets.
! 12: <p/>
! 13: The XFRM interface on gateway <b>moon</b> is moved into a new network namespace
! 14: from which a ping is sent to client <b>bob</b>. It is then moved back out and
! 15: <b>alice</b> sends another ping to <b>bob</b> to test if that works too.
! 16: <p/>
! 17: Gateway <b>sun</b> dynamically creates the XFRM interface via updown script
! 18: using the passed unique generated interface ID.
! 19: <p/>
! 20: Note that the dropped packet seen on the <b>XFRM interface</b> on <b>moon</b>
! 21: is an IPv6 Router Solicitation (NDP) sent from that namespace, which doesn't
! 22: match the IPsec policy.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to description.txt CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / testing / tests / route-based / net2net-xfrmi-netns