Re: [Ipsec-tools-devel] issue with outbound SA selection
Brought to you by:
mit_warlord,
netbsd
From: Naveen BN <nav...@gl...> - 2009-10-28 11:04:29
|
Hi Timo, Thanks you for the reply , Can i know why is that pf_key API does not support adding ports to SADB is there an specific reason . Regards Naveen Regards Naveen Timo Teräs wrote: > Hi, > > Naveen BN wrote: >> I have a problem using SA with selectors based on <src IP>, <dest IP> >> and <dst port> for outbound traffic. >> I have written two out bound SA's for the same destination IP with >> different destination port, but I am seeing >> wrong SA has been selected for outbound traffic. My concern is why >> the SA is not getting selected based on >> ports mentioned security policy. >> >> *When a packet is sent to dest port 800 , SA which is getting >> selected is 0x208[spi] with dstport 500 instead of 0x201[spi] **with >> dstport 800 instead**.* >> >> Please provide the criteria for outboud SA selection, please guide me >> regarding this issue . >> My Linux kernel version is 2.6.23.1-42.fc8 > > The port number is not settable via pf_key programming API in Linux. > This kind of functionality is possible via XFRM API, but it is not > supported by setkey/racoon. If you need this, you should use some > IKE software that supports the XFRM API such as strongSwan or OpenSwan. > > - Timo > |