一
默认情况下,我们使用strongswan建立了一个ipsec隧道之后,建立的policy如下:
[root@D129 OUTPUT]# ip xfrm policy src 10.129.0.0/16 dst 10.9.0.0/16 dir out priority 383615 ptype main tmpl src 192.168.8.129 dst 192.168.8.9 proto esp spi 0x5623adc0 reqid 1 mode tunnel src 10.9.0.0/16 dst 10.129.0.0/16 dir fwd priority 383615 ptype main tmpl src 192.168.8.9 dst 192.168.8.129 proto esp reqid 1 mode tunnel src 10.9.0.0/16 dst 10.129.0.0/16 dir in priority 383615 ptype main tmpl src 192.168.8.9 dst 192.168.8.129 proto esp reqid 1 mode tunnel
通过观察,我们能够总结到:
1. 一共有三条policy,分别是IN类型,OUT类型,FWD类型。
2. IN和FWD的原目的IP对,template原目的IP对相同。OUT类型与之相反。
二
然而,我们所了解到的内容,并不仅局限于此。接下来阅读两端strongswan的代码
https://github.com/strongswan/strongswan/blob/5.7.2/src/libcharon/sa/child_sa.c
static status_t install_policies_inbound(private_child_sa_t *this, host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts, ... ... if (this->mode != MODE_TRANSPORT) { in_id.dir = POLICY_FWD; status |= charon->kernel->add_policy(charon->kernel, &in_id, &in_policy); } return status; } ... ... static status_t install_policies_outbound(private_child_sa_t *this, host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts, ... ... out_id.dir = POLICY_FWD; other_sa->reqid = 0; if (priority == POLICY_PRIORITY_DEFAULT) { out_policy.prio = POLICY_PRIORITY_ROUTED; } status |= charon->kernel->add_policy(charon->kernel, &out_id, &out_policy); /* reset the reqid for any other further policies */ other_sa->reqid = this->reqid; } return status; }
通过上面的代码,可以观察到,无论是IN或OUT方向,都有其分别对应的FWD policy。并由sa的具体参数配置决定。
child_sa_t * child_sa_create(host_t *me, host_t* other, child_cfg_t *config, uint32_t reqid, bool encap, ... ... .policies_fwd_out = config->has_option(config, OPT_FWD_OUT_POLICIES), ... ... }
三
这个参数见swanctl.conf的手册
connections.<conn>.children.<child>.policies_fwd_out [no] Whether to install outbound FWD IPsec policies or not. Enabling this is required in case there is a drop policy that would match and block forwarded traffic for this CHILD_SA.
还有一段注释,帮助理解。
/* install an "outbound" FWD policy in case there is a drop policy * matching outbound forwarded traffic, to allow another tunnel to use * the reversed subnets and do the same we don't set a reqid (this also * allows the kernel backend to distinguish between the two types of * FWD policies). To avoid problems with symmetrically overlapping * policies of two SAs we install them with reduced priority. As they * basically act as bypass policies for drop policies we use a higher * priority than is used for them. */
四
也就是说,开启“第三节”里提到的配置之后。strongswan对每一个sa产生的policy,将不是“第一节”中提到的三个,
而是四个,一个IN,一个OUT,两个FWD,两个FWD各自与IN,OUT参数一致。