XFRM 状态和策略允许在没有虚拟接口的情况下配置 IPsec 加密。vti
但是,我认为和接口类型xfrm
可以通过虚拟接口路由流量,以启用基于路由策略的加密。我不确定如何配置这些接口以及 XFRM 状态和策略来支持此功能。
vti
和接口类型xfrm
列出了以下链接参数:
$ ip link help type vti
Usage: ... vti [ remote ADDR ]
[ local ADDR ]
[ [i|o]key KEY ]
[ dev PHYS_DEV ]
[ fwmark MARK ]
Where: ADDR := { IP_ADDRESS }
KEY := { DOTTED_QUAD | NUMBER }
MARK := { 0x0..0xffffffff }
$ ip link help type xfrm
Usage: ... xfrm dev [ PHYS_DEV ] [ if_id IF-ID ]
[ external ]
Where: IF-ID := { 0x1..0xffffffff }
这些参数的确切含义是什么(缺乏相关文档)以及它们与 XFRM 状态和策略定义有何关系?
XFRM 状态和策略具有以下参数列表(来自手册页):
ip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ] [ mark MARK [ mask
MASK ] ] [ reqid REQID ] [ seq SEQ ] [ replay-window SIZE ] [ replay-seq
SEQ ] [ replay-oseq SEQ ] [ replay-seq-hi SEQ ] [ replay-oseq-hi SEQ ] [
flag FLAG-LIST ] [ sel SELECTOR ] [ LIMIT-LIST ] [ encap ENCAP ] [ coa
ADDR[/PLEN] ] [ ctx CTX ] [ extra-flag EXTRA-FLAG-LIST ] [ output-mark OUT‐
PUT-MARK [ mask MASK ] ] [ if_id IF-ID ] [ tfcpad LENGTH ]
ip xfrm policy { add | update } SELECTOR dir DIR [ ctx CTX ] [ mark MARK [ mask
MASK ] ] [ index INDEX ] [ ptype PTYPE ] [ action ACTION ] [ priority PRI‐
ORITY ] [ flag FLAG-LIST ] [ if_id IF-ID ] [ LIMIT-LIST ] [ TMPL-LIST ]
这两个与 XFRM 状态和政策相关的示例用法也可以帮助澄清这个主题。