[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec-tools-devel
Subject: Re: [Ipsec-tools-devel] Does anybody work on supporting SPD matching Netfilter MARKS?
From: Reinoud Koornstra <reinoudkoornstra () gmail ! com>
Date: 2015-10-19 20:27:27
Message-ID: CAAA5faEeh8tKce+wxPuOSwWYN8BpkTW66FXD5zUtesydJWW0VQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Oskar,
The tag option isn't support indeed.
I've been looking into the BSD code as to how much work it was to implement
it.
I didn't make an attempt yet.
Actually for this reason i sometimes use ip xfrm, but then you'll ruin into
other problems, like priority and stuff that setkey does for you, but ip
xfrm does not.
Thanks,
Reinoud.
On Mon, Oct 19, 2015 at 12:19 PM, Oskar Stenman <oskar.stenman@magine.com>
wrote:
> I noticed there was a question "a while back", (January 2005) asking if
> you supported "spdadd tagged <tag>" and there were a few answers and it
> looks like some work was being done, but when i try it today it doesn't
> work.
>
> Link to old thread for reference:
> http://sourceforge.net/p/ipsec-tools/mailman/message/7607778/
>
> I'm looking at setting up a few vpn connections with vti interfaces on
> linux and it seems i can't make "any packet going out through this
> interface" be tagged or tied to an spd, "spdadd tagged <tag>" gives invalid
> argument, and spd's for every combination of source and destination network
> available is going to be a relatively large and ever changing definition
> file.
>
> I can see that the command is included in setkey's manpage, but it fails
> when i try to add a policy based on it:
> /etc/ipsec-tools.conf:
> #!/usr/sbin/setkey -f
> flush;
> spdflush;
> spdadd tagged "1" -P out ipsec
> esp/tunnel/10.202.193.211-52.19.138.123/require;
> spdadd tagged "2" -P out ipsec
> esp/tunnel/52.19.138.123-10.202.193.211/require;
>
> root@ip-10-202-193-211:~# setkey -f /etc/ipsec-tools.conf
> The result of line 5: Invalid argument.
> The result of line 7: Invalid argument.
>
> Did support for this make it into the Linux-kernel?, am i missing a
> kernel-module? Is this only supported on *bsd systems or something?
>
> --
> [image: MagineTV]
>
> *Oskar Stenman*
> Network Architect
>
> *Magine TV*
> oskar.stenman@magine.com | Mob: +46 70 565 21 52
> Regeringsgatan 25 | 111 53 Stockholm, Sweden | www.magine.com
> <http://www.magine.com/>
>
> Privileged and/or Confidential Information may be contained in this
> message. If you are not the addressee indicated in this message
> (or responsible for delivery of the message to such a person), you may not
> copy or deliver this message to anyone. In such case,
> you should destroy this message and kindly notify the sender by reply
> email.
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Ipsec-tools-devel mailing list
> Ipsec-tools-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
>
>
[Attachment #5 (text/html)]
<div dir="ltr">Hi Oskar,<div><br></div><div>The tag option isn't support \
indeed.</div><div>I've been looking into the BSD code as to how much work it was \
to implement it.</div><div>I didn't make an attempt yet.</div><div>Actually for \
this reason i sometimes use ip xfrm, but then you'll ruin into other problems, \
like priority and stuff that setkey does for you, but ip xfrm does \
not.</div><div>Thanks,</div><div><br></div><div>Reinoud.</div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 19, 2015 at 12:19 PM, \
Oskar Stenman <span dir="ltr"><<a href="mailto:oskar.stenman@magine.com" \
target="_blank">oskar.stenman@magine.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div><div>I noticed there was a question \
"a while back", (January 2005) asking if you supported "spdadd tagged \
<tag>" and there were a few answers and it looks like some work was being \
done, but when i try it today it doesn't work.</div><div><br></div><div>Link to \
old thread for reference: <a \
href="http://sourceforge.net/p/ipsec-tools/mailman/message/7607778/" \
target="_blank">http://sourceforge.net/p/ipsec-tools/mailman/message/7607778/</a></div></div><div><br></div>I'm \
looking at setting up a few vpn connections with vti interfaces on linux and it seems \
i can't make "any packet going out through this interface" be tagged or \
tied to an spd, "spdadd tagged <tag>" gives invalid argument, and \
spd's for every combination of source and destination network available is going \
to be a relatively large and ever changing definition \
file.<div><div><br></div><div><div>I can see that the command is included in \
setkey's manpage, but it fails when i try to add a policy based on \
it:</div><div>/etc/ipsec-tools.conf:<br></div><div><div><div>#!/usr/sbin/setkey \
-f</div></div><div>flush;</div><div>spdflush;</div><div>spdadd tagged "1" \
-P out ipsec</div><div> \
esp/tunnel/10.202.193.211-52.19.138.123/require;</div><div>spdadd tagged \
"2" -P out ipsec<br></div><div> \
esp/tunnel/52.19.138.123-10.202.193.211/require;</div></div><div><br></div><div>root@ip-10-202-193-211:~# \
setkey -f /etc/ipsec-tools.conf <br></div><div><div>The result of line 5: Invalid \
argument.</div><div>The result of line 7: Invalid \
argument.</div></div><div><br></div><div>Did support for this make it into the \
Linux-kernel?, am i missing a kernel-module? Is this only supported on *bsd systems \
or something?</div><div><div><div><br></div>-- <br><div><div dir="ltr"><div \
style="color:rgb(0,0,0);font-family:'Times New \
Roman';margin:0px;font-size:12px"><img alt="MagineTV" \
src="https://s3-eu-west-1.amazonaws.com/com.magine.public/growth/email/magineTV.png" \
height="32" width="32"> <br><br></div><div \
style="margin:0px;font-size:12px;color:rgb(41,41,41);font-family:Helvetica,Helvetica;min-height:15px"><b>Oskar \
Stenman</b><div style="margin:0px;font-size:11px;color:rgb(109,109,109)">Network \
Architect<br><br></div><div style="margin:0px;font-size:11px"><b>Magine \
TV</b></div><div style="margin:0px;font-size:11px;color:rgb(109,109,109)"><a \
href="mailto:oskar.stenman@magine.com" target="_blank">oskar.stenman@magine.com</a> \
| <span style="letter-spacing:-0.1px">Mob: </span><a \
href="tel:%2B46%2070%20565%2021%2052" value="+46705652152" target="_blank">+46 70 565 \
21 52</a><span style="letter-spacing:-0.1px"> </span></div><div \
style="margin:0px;font-size:11px;color:rgb(109,109,109)">Regeringsgatan 25 | 111 \
53 Stockholm, Sweden | <span style="color:rgb(65,65,65)"> <a \
href="http://www.magine.com/" target="_blank"><span \
style="color:rgb(0,106,227)">www.magine.com</span> </a></span><br><br></div><div \
style="margin:0px;font-size:10px;color:rgb(168,168,168)">Privileged and/or \
Confidential Information may be contained in this message. If you are not the \
addressee indicated in this message<br>(or responsible for delivery of the message to \
such a person), you may not copy or deliver this message to anyone. In such case, \
<br>you should destroy this message and kindly notify the sender by reply \
email.</div></div></div></div> </div></div></div></div></div>
<br>------------------------------------------------------------------------------<br>
<br>_______________________________________________<br>
Ipsec-tools-devel mailing list<br>
<a href="mailto:Ipsec-tools-devel@lists.sourceforge.net">Ipsec-tools-devel@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel" \
rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel</a><br>
<br></blockquote></div><br></div>
------------------------------------------------------------------------------
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic