防火墙建立IPSecVPN,走VPN隧道的数据包转发会查几次路由?
1. 数据包封装前会查一次路由,正常下一跳走tunnel接口转发;
2. 数据包封装后会再查一次路由,一般场景下,下一跳是建立VPN的以太网出口。
具体可参考如下debug:
2022-06-29 16:23:39, DEBUG@FLOW(1073760000): core 1 (sys up 0x65481d0 ms): 106201: (i) len=98 fa16.3e83.d8bf->fa16.3e30.6c03/800
172.21.18.93->10.0.0.1/1
vhl=45, tos=00, id=27900, frag=16384, ttl=64, tlen=84
icmp:type=8, code=0
rx_handle_prepare: fa16.3e83.d8bf->fa16.3e30.6c03, size 98, type 0x800, vid 0, port ethernet0/0
dp_prepare_if_for_pak
Switchid is 30(interface ethernet0/0) port ethernet0/0 ,pak iif=ethernet0/0
rx_handle_prepare i_if is ethernet0/0
Start l3 forward
Packet: 172.21.18.93 -> 10.0.0.1, id: 27900, ip size 84, prot: 1(ICMP)
dp_prepare_pak_lookup srcip: 172.21.18.93, dstip: 10.0.0.1, src-port:26160, dst-port:118, prot 1
packet's flow hashtag is 7e9064ce
No session found, try to create session
dp_first_crt_sess_init_flow0_from_pak_iif: set cpuid 0
-----------------First path creating new session-----------------
dp_sess_sm_transtion: Do session state machine transtion, id 1469, state: 0, event: 0!
allocate pending session and install flow0
begin lookup predefine prot:1 port:118
Identified as app PING (prot=1). timeout 6.
--------VR:trust-vr start--------
172.21.18.93:26160->10.0.0.1:118
No BNAT configured for this VR
NAT: ICMP protocol type/code 0800
NO DNS rewrite dynamic mapping entry found.
No DNAT matches
No inner DNAT matches, skip DNAT
Configured PBR, need lookup appid, proto 0x1, vr_id 1, ip 10.0.0.1, port 118
//封装前第一次查路由
IPv4 route input: vr 1, vfg 0, i_if ethernet0/0, o_if null, src_ip 172.21.18.93, dst_ip 10.0.0.1, src_port 26160, dst_port 2048, prot 1, appid 104, flags 0x4(normal), hash_tag 1880879486
PBR in:
In interface ethernet0/0, source zone trust, source vr trust-vr, src-addr 172.21.18.93, dst-addr 10.0.0.1, Pak prot 1, src-port 26160, dst-port 2048.
pbr route lookup order index:if:0,zone:1,vr:2
rematch is 0
icmp protocol type/code 0800
checking candidate 0
before rbns check, match id 0, the role_count is 0, user_count is 0, ugroup_count is 0, and the auth_user_name is -
pbr route 1 lookup: vfg 0, weight sum1/total1, nexthop num 1, o_if null, hash_tag 1880879486, factor flags 0x4
pbr route nexthop[0]: IF id 34, weight 1, gateway 0.0.0.0 flags 0x8
pbr_route id 1 nxthp num 1 nxthp index 0 matches: nexthop ifindex 34, gateway 0.0.0.0
Find route pbr with 2
PBR out:match a pbr. //第一次匹配策略路由,下一跳是tunnel接口
find again for connect or local host route or dbr(overwrite policy-route if found):
PBR out:find connect or local host route
Find route 10.0.0.1 for IPv4 pkt.
dest route lookup: vfg 0, weight sum1/total1, nexthop num 1, o_if null, hash_tag 1880879486, factor flags 0x4
dest route nexthop[0]: IF id 30, weight 1, gateway 172.21.18.1 flags 0x14
PBR out:DBR match nothing, return pbr nexthop
IPv4 route output: type pbr, pbr-match-id 0.19.2.0/32, nexthop 0.0.0.0, if_id 34, flags 0x0 //第一次匹配策略路由,下一跳是tunnel接口
Get nexthop if_id: 34, flags: 0, nexthop: 0.0.0.0
Interface route
lookup bnat for snat start!
No BNAT configured for this VR
lookup common snat start!
NAT: ICMP protocol type/code 0800
No SNAT matches, or out of pool, skip SNAT
--------VR:trust-vr end--------
Start mini policy lookup.
do not find mini rule matched
Start policy lookup.
Pak src zone trust, dst zone trust, prot 1, dst-port 118.
recheck_policy_lookup: profile_mask:3
Policy 9 matches, ===PERMIT===
crt_sess->flow0_io_cpuid 0
flow0 src 172.21.18.93 --> dst 10.0.0.1 with nexthop 0.0.0.0 ifindex 34
flow1 src 10.0.0.1 --> dst 172.21.18.93 nexthop not lookup or invalid
flow0 tunnel, id=1, cpuid=0, local cpuid=0
flow0's next hop: 0.0.0.0 flow1's next hop: 0.0.0.0
crt_sess->revs_rres.gw: 0.0.0.0, crt_sess->forw_rres.gw 0.0.0.0
Calculate flow1 hash, srcip: 10.0.0.1, dstip: 172.21.18.93, lports: 766630, prot: 1, token: 2
flow1->hash_tag 48d49178
in flow_first profile_merge, profile mask is 3
------sess:1469,app :104 init in first proc
Application 104 hasn't been registered, don't need do ALG
APP inited for application PING
crt_sess policy_flag is 0070, session flag1 is 0000
PING: create session: atomic bit
2022-06-29 16:23:39, DEBUG@FLOW(1073760000): core 1 (sys up 0x65481d0 ms): 0
dp_sess_sm_transtion: Do session state machine transtion, id 1469, state: 1, event: 3!
The following session is installed
session: id 1469, prot 1, flag0 4000,flag1 0, created 106201, life 6
flow0(if id: 30 flow id: 2938 flag: 40600d10):172.21.18.93:26160
->10.0.0.1:118
flow1(if id: 34 flow id: 2939 flag: 400900): 10.0.0.1:118
->172.21.18.93:26160
Session installed successfully
-----------------------First path over---------------------
Found the session 1469
session: id 1469, prot 1, flag0 4000,flag1 0, created 106201, life 6
flow0(if id: 30 flow id: 2938 flag: 40600d10):172.21.18.93:26160
->10.0.0.1:118
flow1(if id: 34 flow id: 2939 flag: 400910): 10.0.0.1:118
->172.21.18.93:26160
dp_app_proc: 0x0x2aaaae188900
exit idp_other_ip_scan with nothing detected
dp_app_proc: ICMP or fragment packet or need skip app proc, just forward it //转发
ICMP after translation: data1 3066, data2 7600
//封装后第二次查路由
IPv4 route input: vr 1, vfg 0, i_if null, o_if ethernet0/0, src_ip 172.21.18.254, dst_ip x.x.x.x, src_port 14934, dst_port 19657, prot 1, appid 0, flags 0x4(normal), hash_tag 2310466470
PBR in:
pbr route lookup order index:if:0,zone:1,vr:2
rematch is 0
icmp protocol type/code 4cc9
No pbr_route matches in this pbrctxt
PBR out:match nothing.
SIBR:match nothing.
SBR in:
Find route 172.21.18.254 for IPv4 pkt.
dest route lookup: vfg 0, weight sum1/total1, nexthop num 1, o_if ethernet0/0, hash_tag 2310466470, factor flags 0x4
dest route nexthop[0]: IF id 31, weight 1, gateway 172.21.17.1 flags 0x14
SBR out:match a sbr. //第二次查源路由,下一跳是fw出口
find again for connect or local host route(overwrite sbr-route if found):
Find route x.x.x.x for IPv4 pkt.
dest route lookup: vfg 0, weight sum1/total1, nexthop num 1, o_if ethernet0/0, hash_tag 2310466470, factor flags 0x4
dest route nexthop[0]: IF id 30, weight 1, gateway 172.21.18.1 flags 0x14
IPv4 route output: type sbr, prefix 172.21.18.0/24, nexthop 172.21.17.1, if_id 31, flags 0x0 ////第二次查源路由,下一跳是fw出口
Dropped: Route to x.x.x.x out interface zone is not the same with tunnel's.
