[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] PF_KEY with IPv4+IPv6 in charon
From: Jay Sharma <jay.sharma () gmail ! com>
Date: 2013-03-21 12:27:50
Message-ID: CACf=cksPcYMdZ7bHUx=uu_j2=_gJzeZwd=JP1femamzVPWpVRQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Andreas,
I revisited this problem last week and looked around the code. With the below
patch I am able to make the IPv6-in-IPv4 scenario work under PFKEY. Can you
please review?
*StrongSwan Patch*
diff -Naur o/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
m/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
--- o/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c 2013-03-16
21:54:15.071773208 +0530
+++ m/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c 2013-03-16
21:53:20.429772870 +0530
@@ -98,6 +98,10 @@
#define IPV6_IPSEC_POLICY 34
#endif
+#ifndef XFRM_STATE_AF_UNSPEC
+#define XFRM_STATE_AF_UNSPEC 32
+#endif
+
/** default priority of installed policies */
#define PRIO_LOW 1024
#define PRIO_HIGH 512
@@ -1252,6 +1256,8 @@
sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
+ if (mode == MODE_TUNNEL)
+ sa->sadb_sa_flags |= XFRM_STATE_AF_UNSPEC;
PFKEY_EXT_ADD(msg, sa);
sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
*Kernel Patch*
diff -Naur o/include/linux/pfkeyv2.h m/include/linux/pfkeyv2.h
--- o/include/linux/pfkeyv2.h 2013-03-16 21:44:48.217772984 +0530
+++ m/include/linux/pfkeyv2.h 2013-03-16 21:45:30.016773292 +0530
@@ -268,6 +268,7 @@
#define SADB_SAFLAGS_NOPMTUDISC 0x20000000
#define SADB_SAFLAGS_DECAP_DSCP 0x40000000
#define SADB_SAFLAGS_NOECN 0x80000000
+#define SADB_SAFLAGS_AF_UNSPEC 32
/* Security Association states */
#define SADB_SASTATE_LARVAL 0
diff -Naur o/net/key/af_key.c m/net/key/af_key.c
--- o/net/key/af_key.c 2013-03-06 21:44:48.222773308 +0530
+++ m/net/key/af_key.c 2013-03-06 21:45:30.047772952 +0530
@@ -836,6 +836,8 @@
sa->sadb_sa_flags |= SADB_SAFLAGS_DECAP_DSCP;
if (x->props.flags & XFRM_STATE_NOPMTUDISC)
sa->sadb_sa_flags |= SADB_SAFLAGS_NOPMTUDISC;
+ if (x->props.flags & XFRM_STATE_AF_UNSPEC)
+ sa->sadb_sa_flags |= SADB_SAFLAGS_AF_UNSPEC;
/* hard time */
if (hsc & 2) {
@@ -1103,6 +1105,8 @@
x->props.flags |= XFRM_STATE_DECAP_DSCP;
if (sa->sadb_sa_flags & SADB_SAFLAGS_NOPMTUDISC)
x->props.flags |= XFRM_STATE_NOPMTUDISC;
+ if (sa->sadb_sa_flags & SADB_SAFLAGS_AF_UNSPEC)
+ x->props.flags |= XFRM_STATE_AF_UNSPEC;
lifetime = (struct sadb_lifetime*) ext_hdrs[SADB_EXT_LIFETIME_HARD-1];
if (lifetime != NULL) {
@@ -1220,7 +1224,7 @@
x->sel.prefixlen_s = addr->sadb_address_prefixlen;
}
- if (!x->sel.family)
+ if (!x->sel.family && !(x->props.flags & XFRM_STATE_AF_UNSPEC))
x->sel.family = x->props.family;
if (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) {
Thanks,
Jay
On Wed, Jan 30, 2013 at 12:50 AM, Mikael Magnusson <mikma264@gmail.com>wrote:
> If you use Linux, then netlink is required for IPv6-in-IPv4 support in
> ESP, AFAIK.
>
> /Mikael
>
>
> On 01/29/2013 06:18 PM, Jay Sharma wrote:
>
> Hi Andreas,
>
> Thanks for your reply. I checked the example scenarios but it does not
> list any case with IPv6-in-IPv4 for PFKEY.
>
> My setup is similar to the one here -
>
> http://www.strongswan.org/uml/testresults45/ipv6/net2net-ip6-in-ip4-ikev2/index.html[except \
> that I do not have "bob" and there is a sit tunnel between alice and moon].
>
> So, does charon (strongswan 4.5.1) support PF_KEY messages for
> IPv6-in-IPv4 environment? The moment I re-configure strongswan without
> --enable-kernel-pfkey, the traffic goes through fine.
>
> Thanks,
> Jay
>
>
>
> _______________________________________________
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
[Attachment #5 (text/html)]
<div dir="ltr"><font><font face="trebuchet ms,sans-serif">Hi \
And<font>reas,<br><br></font>I <font>revisited</font> this problem <font>last week \
</font>and looked around the cod<font>e.<font> With t<font>he <font>below patch \
<font>I am able to make the IPv6-in-IPv4 scenario work under \
PFKEY.</font></font></font></font></font></font></font> Can you please \
rev<font>iew<font>?<br>
<br><u>StrongSwan Patch</u><br>diff -Naur \
o/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c \
m/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c<br>--- \
o/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c \
2013-03-<font>1</font>6 21:54:15.071773208 +0530<br>
+++ m/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c \
2013-03-<font>1</font>6 21:53:20.429772870 +0530<br>@@ -98,6 +98,10 @@<br> #define \
IPV6_IPSEC_POLICY 34<br> #endif<br> <br>+#ifndef XFRM_STATE_AF_UNSPEC<br> +#define \
XFRM_STATE_AF_UNSPEC 32<br> +#endif<br>+<br> /** default priority of installed \
policies */<br> #define PRIO_LOW 1024<br> #define PRIO_HIGH 512<br>@@ -1252,6 \
+1256,8 @@<br> sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : \
32;<br> sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);<br>
sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);<br>+ \
if (mode == MODE_TUNNEL)<br>+ sa->sadb_sa_flags |= \
XFRM_STATE_AF_UNSPEC;<br> PFKEY_EXT_ADD(msg, sa);<br> <br> sa2 = \
(struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);<br>
<br><u><font>Kernel Patch</font></u><br>diff -Naur o/include/linux/pfkeyv2.h \
m/include/linux/pfkeyv2.h<br>--- o/include/linux/pfkeyv2.h \
2013-03-<font>1</font>6 21:44:48.217772984 +0530<br>+++ m/include/linux/pfkeyv2.h \
2013-03-<font>1</font>6 21:45:30.016773292 +0530<br>
@@ -268,6 +268,7 @@<br> #define SADB_SAFLAGS_NOPMTUDISC 0x20000000<br> \
#define SADB_SAFLAGS_DECAP_DSCP 0x40000000<br> #define SADB_SAFLAGS_NOECN \
0x80000000<br>+#define SADB_SAFLAGS_AF_UNSPEC 32<br> <br> /* Security \
Association states */<br>
#define SADB_SASTATE_LARVAL 0<br>diff -Naur o/net/key/af_key.c \
m/net/key/af_key.c<br>--- o/net/key/af_key.c 2013-03-06 21:44:48.222773308 \
+0530<br>+++ m/net/key/af_key.c 2013-03-06 21:45:30.047772952 +0530<br>@@ \
-836,6 +836,8 @@<br>
sa->sadb_sa_flags |= SADB_SAFLAGS_DECAP_DSCP;<br> if \
(x->props.flags & XFRM_STATE_NOPMTUDISC)<br> \
sa->sadb_sa_flags |= SADB_SAFLAGS_NOPMTUDISC;<br>+ if (x->props.flags & \
XFRM_STATE_AF_UNSPEC)<br>
+ sa->sadb_sa_flags |= SADB_SAFLAGS_AF_UNSPEC;<br> <br> /* \
hard time */<br> if (hsc & 2) {<br>@@ -1103,6 +1105,8 @@<br> \
x->props.flags |= XFRM_STATE_DECAP_DSCP;<br> if (sa->sadb_sa_flags \
& SADB_SAFLAGS_NOPMTUDISC)<br>
x->props.flags |= XFRM_STATE_NOPMTUDISC;<br>+ if \
(sa->sadb_sa_flags & SADB_SAFLAGS_AF_UNSPEC)<br>+ x->props.flags \
|= XFRM_STATE_AF_UNSPEC;<br> <br> lifetime = (struct sadb_lifetime*) \
ext_hdrs[SADB_EXT_LIFETIME_HARD-1];<br>
if (lifetime != NULL) {<br>@@ -1220,7 +1224,7 @@<br> \
x->sel.prefixlen_s = addr->sadb_address_prefixlen;<br> }<br> <br>- \
if (!x->sel.family)<br>+ if (!x->sel.family && !(x->props.flags \
& XFRM_STATE_AF_UNSPEC))<br>
x->sel.family = x->props.family;<br> <br> if \
(ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) {<br></font></font><br>Thanks,<br>Jay<br><br><div \
class="gmail_quote">On Wed, Jan 30, 2013 at 12:50 AM, Mikael Magnusson <span \
dir="ltr"><<a href="mailto:mikma264@gmail.com" \
target="_blank">mikma264@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>If you use Linux, then netlink is
required for IPv6-in-IPv4 support in ESP, AFAIK.<span class="HOEnZb"><font \
color="#888888"><br> <br>
/Mikael</font></span><div class="im"><br>
<br>
On 01/29/2013 06:18 PM, Jay Sharma wrote:<br>
</div></div><div class="im">
<blockquote type="cite">
<div dir="ltr"><span style="font-family:trebuchet ms,sans-serif"><font>Hi
Andreas,<br>
<br>
Thanks for your reply. I checked the example scenarios but
it does not list any case with </font><font>IPv6-in-IPv4
for PFKEY.<br>
<br>
My setup is similar to the one here - <br>
<a href="http://www.strongswan.org/uml/testresults45/ipv6/net2net-ip6-in-ip4-ikev2/index.html" \
target="_blank">http://www.strongswan.org/uml/testresults45/ipv6/net2net-ip6-in-ip4-ikev2/index.html</a>
[except that I do not have "bob" and there is a sit tunnel
between alice and moon].<br>
<br>
So, does charon (strongswan 4.5.1) support PF_KEY messages
for IPv6-in-IPv4 environment? The moment <font>I <font>re-configure
strongswan without --enable-kernel-pfkey<font>, the
traff<font>ic goes throu<font>gh \
fine.</font></font></font></font></font><br> <br>
Thanks,<br>
Jay</font></span><br>
</div>
</blockquote>
<br>
</div></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" \
target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br></blockquote></div><br></div>
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic