Hi, I’m curious about the ipsec packet flow, as I need to set up firewall rules for my ipsec site-to-site tunnel.
In the packet flow diagram, the ipsec decryption show the encrypted packet is decrypted first, then goes back into the input chain.
When the encrypted packet is received at the first step, the source address of the packet is the remote router public ip.
After it is decrypted, does the source ip remain the same as the remote router public ip, or does it change to the server router internal ip?
As far as the IPsec tunnel is concerned, each site will see each others public IPs…
When you try to reach lets say a local computer inside the tunnel, then that computer will see the traffic coming from the Router itself…
In the case of an L2TP / IPsec tunnel for instance, when you try to reach a device in the other side of the tunnel, that device will ofcorse not see any Public IPs…
It depends on what the remote side is sending. If you have transport mode IPSec (e.g. for L2TP/IPSec), decrypted packet (L2TP) will have same addresses as encrypted (unless it’s changed by NAT). If you have tunnel mode IPSec (e.g. LAN to LAN tunnel), decrypted packet will have the source address of remote device in LAN (it it came from it) and destination address will be device on local LAN, while encrypted packets will have remote router as source and local router as destination.
Hello,
I have very similar doubt that regards IPsec traffic.
Let’s analyse the encryption. Do we have on the upper diagram a situation when a packet has destination address that belongs to the second side of the IPsec tunnel? If so, it goes through FORWARD chain (step 3) and then if it belongs to IPsec policy, is encrypted. Does it means only encryption? If so, does it leave the routing through the “L” point, only then is encapsulated and comes again to the routing through the “K” point? Or maybe all things that belongs to the IPsec process are done directly in the box “IPSEC ENCRYPTION” and after leaving “L” point that packet goes directly to the physical output interface?
@Sob, what you wrote means that encryption and encapsulation is done in just one step, right?
This is how IPsec works!!!
IPsec has as @sob said two modes, one is the Tunnel mode and the second is the Transport Mode…
Tunnel mode is used in site to site VPNs, between Gateways in simple words and is the default mode while Transport mode is used for client to site VPNs or end to end, between a computer and a Gateway…
Now, the Tunnel mode adds a New IP Header in front of the IP header of the originating packet…
In transport mode no new IP header is added, so the IP stays the same… Unless as @sob said NAT is perforfmed…
I know the IPsec quite well and all the things both of you mentioned are of course correct, but as I wrote I have doubt how it is carried out in MT devices. The IPsec packet in the tunnel mode goes only once to the “routing decision” box or twice? In the other words - is the decryption and decapsulation (or encryption and encapsulation) done in the very same moment?
I’ve been looking at this diagram for few months ;P. So at the point 7 in the encryption diagram the packet is fully encrypted and encapsulated at the same time? I’m in doubt because on the general packet flow diagram there is also box: ENCAPSULATION (TUNNEL).
Second routing decision between steps 7 and 8 wouldn’t make sense if the packet still had original addresses. You can always do an experiment, add some logging rules in postrouting and see how many times it will pass through there.
If you see the Traffic flow diagram at your first post, the encapsulation will happen after the Routing Takes place.. Just Before the packet leaves the router…
