From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.3 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5C1A1C2B9F8 for ; Tue, 25 May 2021 14:48:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3ACAA6135F for ; Tue, 25 May 2021 14:48:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232939AbhEYOt6 (ORCPT ); Tue, 25 May 2021 10:49:58 -0400 Received: from dispatchb-us1.ppe-hosted.com ([67.231.154.165]:43394 "EHLO dispatchb-us1.ppe-hosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234106AbhEYOty (ORCPT ); Tue, 25 May 2021 10:49:54 -0400 X-Greylist: delayed 420 seconds by postgrey-1.27 at vger.kernel.org; Tue, 25 May 2021 10:49:54 EDT Received: from dispatchb-us1.ppe-hosted.com (localhost.localdomain [127.0.0.1]) by dispatchb-us1.ppe-hosted.com (PPE Hosted ESMTP Server) with ESMTP id 135AC27172 for ; Tue, 25 May 2021 14:41:23 +0000 (UTC) X-Virus-Scanned: Proofpoint Essentials engine Received: from mx1-us1.ppe-hosted.com (unknown [10.110.51.173]) by mx1-us1.ppe-hosted.com (PPE Hosted ESMTP Server) with ESMTPS id A4F161A0065; Tue, 25 May 2021 14:41:21 +0000 (UTC) Received: from mail3.candelatech.com (mail2.candelatech.com [208.74.158.173]) by mx1-us1.ppe-hosted.com (PPE Hosted ESMTP Server) with ESMTP id 58A7C200087; Tue, 25 May 2021 14:41:21 +0000 (UTC) Received: from [192.168.254.6] (unknown [50.34.172.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail3.candelatech.com (Postfix) with ESMTPSA id 739A113C2B1; Tue, 25 May 2021 07:41:20 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 mail3.candelatech.com 739A113C2B1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=candelatech.com; s=default; t=1621953680; bh=8yfmuMbpth9BXPYcTvcTm95Fo/BImujSL6NUfXWP3s8=; h=Subject:To:References:From:Date:In-Reply-To:From; b=aGFeB73b3KgQxXiRZIpdviA2UNbSc/5KcjZGV83r0eh6msDfQPdbJaaQsLgQKhC4w 8AMjGKNni1J8Z8x8oiUzNmbacHNQH/onb8nGCqB4pEHncqqIgR9sMCLRScCiMTIy50 hD+PCmExMqCRuKtVXVaPhQQhk6xUPtwYDAhEL44Q= Subject: Re: XFRM programming with VRF enslaved interfaces To: David Ahern , Rob Dover , "netdev@vger.kernel.org" References: From: Ben Greear Organization: Candela Technologies Message-ID: Date: Tue, 25 May 2021 07:41:19 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-MW Content-Transfer-Encoding: 7bit X-MDID: 1621953682-KHM5q3Xeh5iX Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On 4/15/21 12:37 PM, David Ahern wrote: > [ cc Ben ] > > On 4/15/21 9:51 AM, Rob Dover wrote: >> Hi there, >> >> I'm working on an application that's programming IPSec connections via XFRM on VRFs. I'm seeing some strange behaviour in cases where there is an enslaved interface on the VRF - was wondering if anyone has seen something like this before or perhaps knows how this is supposed to work? > > Ben was / is looking at ipsec and VRF. Maybe he has some thoughts. My thought is that openvpn is nearly impossible to use in interesting ways by itself, and when added to vrf, it is too complicated for me to deal with. I eventually managed to sort of get it to work. I forget the details, but I think I had to put the 'real' network device in one vrf and the xfrm in another. Probably I posted my example to the mailing list... You do need recent kernel and openvpn to have a chance of this working. Thanks, Ben -- Ben Greear Candela Technologies Inc http://www.candelatech.com