'Re: [Ipsec-tools-devel] issue with outbound SA selection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec-tools-devel
Subject:    Re: [Ipsec-tools-devel] issue with outbound SA selection
From:       Naveen BN <naveen.bn () globaledgesoft ! com>
Date:       2009-11-12 5:59:51
Message-ID: 4AFBA187.3080505 () globaledgesoft ! com
[Download RAW message or body]

Hi Timo,

Thanks for the information. Problem can be solved by using the below 
command 
I created the SA using this command and tested for different failure 
scenario when pf_key or setkey  was used
where SA selection was not based on ports. I found it working fine for 
session based SA.

ip xfrm state add src 172.16.8.36 dst 172.16.8.38 proto esp spi 0x800 
mode tunnel reqid 0 replay-window 32 auth sha1 
0xecf02a5cf6568556e1bdcd961c7ec3f92afd01cc enc aes 
0x5c0cfa9672ce67ba545b593076dfb278 sel src 172.16.8.36 dst 172.16.8.38 
proto udp  dport 300
please refer http://man.he.net/man8/ip

I also saw that there is reqid [ with reference to your response ]in 
pf_key API
/* structure to be used during SPD ADD */
struct sadb_x_ipsecrequest {
    uint16_t sadb_x_ipsecrequest_len;
    uint16_t sadb_x_ipsecrequest_proto;
    uint8_t sadb_x_ipsecrequest_mode;
    uint8_t sadb_x_ipsecrequest_level;
    uint16_t sadb_x_ipsecrequest_reserved1;
    uint32_t sadb_x_ipsecrequest_reqid;
    uint32_t sadb_x_ipsecrequest_reserved2;
} __attribute__ ((packed));

and  Can I use the below structure to write an SA to SADB with the 
corresponding reqid in the policy or is there any other structure exists 
to do the same or it is not possible using PF_KEY Kernel Interface API.
struct sadb_x_sa2 {
    uint16_t sadb_x_sa2_len;
    uint16_t sadb_x_sa2_exttype;
    uint8_t sadb_x_sa2_mode;
    uint8_t sadb_x_sa2_reserved1;
    uint16_t sadb_x_sa2_reserved2;
    uint32_t sadb_x_sa2_sequence;
    uint32_t sadb_x_sa2_reqid;
} __attribute__ ((packed));

Regards
Naveen

Timo Teräs wrote:
> Naveen BN wrote:
>> I solved the issue for creating the sa using ip xfrm , but i how can 
>> i set the ports for the SA.
>> Is it possible only with the xfrm api or can we do the same with  ip 
>> xfrm state add command also,
>> just to check in command line before starting to use xfrm interface 
>> in program.
>
> Use the "reqid" field. It's a kernel internal variable. If it's specified
> in policy, the state must have matching reqid. You should not need to
> set any selector on the state then. Instead the kernel just looks up
> the state to use based on reqid, and the states end up using the 
> selectors
> of the policy.
>
> This is also the only option if you want portA and portB to share SA,
> but portC to not share it.
>
> - Timo
>


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic