[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-announce
Subject: [strongSwan-dev] Fwd: manual manipulation the IPsec SA/SP database
From: krishna chaitanya <krishnachaitanya.sanapala () gmail ! com>
Date: 2012-05-31 6:09:45
Message-ID: CAFQdJXGV4OS2=RBjDDkCW71hbYm0AjsZf9i9gByc69EQSTri9w () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
---------- Forwarded message ----------
From: krishna chaitanya <krishnachaitanya.sanapala@gmail.com>
Date: Wed, May 30, 2012 at 5:28 PM
Subject: Re: [strongSwan-dev] manual manipulation the IPsec SA/SP database
To: Andreas Steffen <andreas.steffen@strongswan.org>
Cc: dev@lists.strongswan.org
Hi Andreas,
I do believe that IKEv2 charon daemon subscribes to XFRM events generated
by the linux kernel which are triggered by IPsec XFRM state limits.
So in case if its true, then charon should be aware of the changes done by
XFRM .. Please correct me . Thanks
On Wed, May 30, 2012 at 12:01 PM, krishna chaitanya <
krishnachaitanya.sanapala@gmail.com> wrote:
> HI Andreas,
>
> Thanks very much for quick response. I would love to have more
> clarifications on the below following.
>
> 1. About SAD :
>
> Adding an SA using a setkey :
>
> add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "123456789012123456789012";
>
> add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";
>
> I replicated the same in Strongswan in ipsec.conf file by adding it as a conn. I \
> could configure everything using strongswan apart from the SPI.
> I understand that starter deamon is a configuration file parser and it would \
> communicate the changes. Please help me about the SPI. Is is that strongswan uses \
> the SPI allocated by kernel ?
>
> 2. About SPD:
>
> Adding an SPD by setkey :
>
> spdadd 10.0.0.216 10.0.0.11 any -P out ipsec
> esp/transport//require
> ah/transport//require;
>
> I tried a lot of documentation on how to configure a SP, but was unsuccessful.
>
> Can I build an userspace program registered with XFRM to add/delete/* ploicies for \
> charon ? . Would that work
>
> On Tue, May 29, 2012 at 8:38 PM, Andreas Steffen <
> andreas.steffen@strongswan.org> wrote:
>
> > Hello,
> >
> > with strongSwan you are not supposed to manipulate the SAD/SPD
> > with an external command line tool as "setkey" or
> > "ip xfrm state/policy add" because the IKEv1/IKEv2 daemons will
> > not become aware of any external SAD/SPD changes. All changes
> > must be communicated through the strongSwan daemon interfaces.
> >
> > Regards
> >
> > Andreas
> >
> > On 29.05.2012 16:23, krishna chaitanya wrote:
> > > HI Team,
> > >
> > > I am new to strongswan. We are working on an implementation of IPsec.
> > >
> > > I earlier worked with racoon where I used setkey for SAD/SPD
> > manipulation.
> > >
> > > In strongswan I had configured the SA's using IPsec.conf file, but is
> > > there a tool where we could manipulate SAD/SPD using shell.
> > >
> > >
> > > Thanks,
> > > KC.Sanapala
> >
> > ======================================================================
> > Andreas Steffen andreas.steffen@strongswan.org
> > strongSwan - the Linux VPN Solution! www.strongswan.org
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> > ===========================================================[ITA-HSR]==
> >
> >
>
[Attachment #5 (text/html)]
<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b \
class="gmail_sendername">krishna chaitanya</b> <span dir="ltr"><<a \
href="mailto:krishnachaitanya.sanapala@gmail.com">krishnachaitanya.sanapala@gmail.com</a>></span><br>
Date: Wed, May 30, 2012 at 5:28 PM<br>Subject: Re: [strongSwan-dev] manual \
manipulation the IPsec SA/SP database<br>To: Andreas Steffen <<a \
href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br>
Cc: <a href="mailto:dev@lists.strongswan.org">dev@lists.strongswan.org</a><br><br><br>Hi \
Andreas,<div><br></div><div>I do believe that IKEv2 charon daemon subscribes to XFRM \
events generated by the linux kernel which are triggered by IPsec XFRM state limits. \
</div> <div><br></div><div>So in case if its true, then charon should be aware of the \
changes done by XFRM .. Please correct me . Thanks</div><div class="HOEnZb"><div \
class="h5"> <div><br></div><div><br></div><div>On Wed, May 30, 2012 at 12:01 PM, \
krishna chaitanya <span dir="ltr"><<a \
href="mailto:krishnachaitanya.sanapala@gmail.com" \
target="_blank">krishnachaitanya.sanapala@gmail.com</a>></span> wrote:</div>
<div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><font face="verdana, sans-serif">HI \
Andreas,</font><div><font face="verdana, sans-serif"><br>
</font></div><div><font face="verdana, sans-serif">Thanks very much for quick \
response. I would love to have more clarifications on the below \
following.</font></div> <div><font face="verdana, \
sans-serif"><br></font></div><div><font face="verdana, sans-serif">1. About SAD \
:</font></div><div><font face="verdana, sans-serif"><br></font></div><div><font \
face="verdana, sans-serif">Adding an SA using a setkey :</font></div>
<div><pre><font face="verdana, sans-serif">add 10.0.0.11 10.0.0.216 esp 15701 -E \
3des-cbc "123456789012123456789012";</font></pre><pre><pre><font \
face="verdana, sans-serif">add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 \
"1234567890123456";</font></pre>
<pre><font face="verdana, sans-serif">I replicated the same in Strongswan in \
ipsec.conf file by adding it as a conn. I could configure everything using strongswan \
apart from the SPI. </font></pre> <pre><font face="verdana, sans-serif">I understand \
that starter deamon is a configuration file parser and it would communicate the \
changes. Please help me about the SPI. Is is that strongswan uses the SPI allocated \
by kernel ? </font></pre>
<pre><font face="verdana, sans-serif"><br></font></pre><pre><font face="verdana, \
sans-serif">2. About SPD:</font></pre><pre><font face="verdana, sans-serif">Adding an \
SPD by setkey :</font></pre> <pre><font face="verdana, sans-serif">spdadd 10.0.0.216 \
10.0.0.11 any -P out ipsec esp/transport//require
ah/transport//require;</font></pre><pre><font face="verdana, sans-serif">I \
tried a lot of documentation on how to configure a SP, but was \
unsuccessful.</font></pre><pre><font face="verdana, sans-serif">Can I build an \
userspace program registered with XFRM to add/delete/* ploicies for charon ? . Would \
that work </font></pre>
<pre><font face="verdana, sans-serif"><br></font></pre></pre><div><div><div \
class="gmail_quote">On Tue, May 29, 2012 at 8:38 PM, Andreas Steffen <span \
dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" \
target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Hello,<br> <br>
with strongSwan you are not supposed to manipulate the SAD/SPD<br>
with an external command line tool as "setkey" or<br>
"ip xfrm state/policy add" because the IKEv1/IKEv2 daemons will<br>
not become aware of any external SAD/SPD changes. All changes<br>
must be communicated through the strongSwan daemon interfaces.<br>
<br>
Regards<br>
<br>
Andreas<br>
<div><div><br>
On 29.05.2012 16:23, krishna chaitanya wrote:<br>
> HI Team,<br>
><br>
> I am new to strongswan. We are working on an implementation of IPsec.<br>
><br>
> I earlier worked with racoon where I used setkey for SAD/SPD manipulation.<br>
><br>
> In strongswan I had configured the SA's using IPsec.conf file, but is<br>
> there a tool where we could manipulate SAD/SPD using shell.<br>
><br>
><br>
> Thanks,<br>
> KC.Sanapala<br>
<br>
</div></div>======================================================================<br>
Andreas Steffen <a \
href="mailto:andreas.steffen@strongswan.org" \
target="_blank">andreas.steffen@strongswan.org</a><br> strongSwan - the Linux VPN \
Solution! <a href="http://www.strongswan.org" \
target="_blank">www.strongswan.org</a><br> Institute for Internet Technologies and \
Applications<br> University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
===========================================================[ITA-HSR]==<br>
<br>
</blockquote></div><br></div></div></div>
</blockquote></div><br></div>
</div></div></div><br>
_______________________________________________
Dev mailing list
Dev@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic