I have the following setup:
Remote IPSec VPN gateway: 81.x.x.x
Local machine address: 172.22.1.156
VPN-assigned IP: 10.0.30.97
VTI tunnel interface:
vti0: ip/ip remote 81.x.x.x local 172.22.1.156 ttl inherit nopmtudisc key 1000
inet 10.0.30.97/22 scope global vti0
Route to remote subnet 10.x.x.x:
10.0.0.0/8 dev vti0 scope link
10.0.28.0/22 dev vti0 proto kernel scope link src 10.0.30.97
XFRM state:
src 81.x.x.x dst 172.22.1.156
proto esp spi 0xxxxxxxxx reqid 0 mode tunnel
replay-window 0
auth-trunc hmac(sha256) 0xxxxx 128
enc cbc(aes) 0xxxxx
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 172.22.1.156 dst 81.x.x.x
proto esp spi 0xxxxxxxxx reqid 0 mode tunnel
replay-window 0
auth-trunc hmac(sha256) 0xxxxxxxxx 128
enc cbc(aes) 0xxxxxxxxx
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x26, bitmap 0x00000000
sel src 0.0.0.0/0 dst 0.0.0.0/0
XFRM policy:
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0 ptype main
mark 0x3e8/0xffffffff
tmpl src 81.x.x.x dst 172.22.1.156
proto esp reqid 0 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0 ptype main
mark 0x3e8/0xffffffff
tmpl src 172.22.1.156 dst 81.x.x.x
proto esp reqid 0 mode tunnel
With this setup there is a problem with incoming IPSec traffic routing. According to the wireshark logs the packets go correctly in both directions, for example I can ping the remote host on 10.x.x.x subnet and there is an encrypted ESP reply returned (containing ICMP encapsulated data) but it never gets processed on the VTI tunnel and forwarded to 172.22.1.156. Decryption and auth keys are set correctly and can decrypt incoming ESP packets in the wireshark.
Is there any additional policy or route missing?
Best Answer
Answering my own question:
Automatic UDP IPSec decapsulation only works on Linux if there is a listening UDP socket on port 4500 with
UDP_ENCAPsocket option set toUDP_ENCAP_ESPINUDP.