IPSec + NAT interaction in Linux 2.6

From: Ranjeet Shetye (ranjeet.shetye2@zultys.com)
Date: Fri Aug 08 2003 - 20:05:55 EST


I was wondering if anyone has tested the IPSec functionality in
conjunction with NAT for the Linux 2.6 kernel ? with/without VLAN thrown

Over the weekend I will need to do a lot of kernel code reading because
I need to understand the interaction between the NetFilter (NAT) code
and the IPSec code, how they tie in, how to play with this interaction
to ensure that it will not break under any circumstances, even when
deployed with VLANs under various field conditions.

Over the last couple of days, I googled for documents that would explain
NAT IPSec interaction, and read up on stuff from the Documentation
directory. I also did a preliminary review of the code. My background is
that I am comfortable with IPSec/IKE, and reasonably familiar with Linux
networking code.

Here's what I understand. Feel free to correct/berate/curse.

1. Using RFC and BSD terminology, security policies (SP) are stored in
the kernel using setkey, and security associations (SA) are then
negotiated using IKE (racoon), based on the SP "guidelines" that are
programmed into the kernel.

2. xfrm4_policy_check() seems to be the main IPSec policy check function
for IPv4 packets. It calls the generic xfrm_policy_check() which then
does a match using xfrm_selector_match() and does lookups using
"xfrm_sk_policy_lookup()" and "xfrm_policy_lookup()" as necessary, to
finally retrieve a policy, if one exists.

3. xfrm4_policy_check() itself is called from many places like ip_rcv(),
udp_rcv(), tcp_v4_rcv(), and ip_local_deliver().

4. When a packet is received, ip_rcv() calls the NF_HOOK (PF_INET,
NF_IP_PRE_ROUTING, ip_rcv_finish()...).

5. ip_rcv_finish() then calls ip_route_input(), and dst_input() for
forwarded packets. dst_input() calls skb->dst->input() which is set to

6. ip_forward() is the first place where xfrm4_policy_check() takes
place for a packet being forwarded.

7. Thus NAT [step 4] takes place before IPSec policies are invoked [step
6]. Is this correct ?

I am trying to understand if NAT takes place before or after IPSec.
Ideally, for IPSec + NAT to work smoothly, the IPSec sub-system should
be between the NAT sub-system and the Internet. Any explainations here
would be greatly appreciated.



Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com

The views, opinions, and judgements expressed in this message are solely
those of the author. The message contents have not been reviewed or
approved by Zultys.

To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html