Thanks for the response. I'll look into it.

-
Fernando



Von:        Timo Teras <timo.teras@iki.fi>
An:        Fernando.MartinezNavarro@rohde-schwarz.com
Kopie:        ipsec-tools-devel@lists.sourceforge.net
Datum:        19.07.2013 12:50
Betreff:        Re: [Ipsec-tools-devel] setkey, how to add a SA for both ESP and ESP-UDP
Gesendet von:        Timo Teräs <timo.teras@gmail.com>




On Fri, 12 Jul 2013 13:03:39 +0200
Fernando.MartinezNavarro@rohde-schwarz.com wrote:

> Hi,
>
> is there a way to add a Security Association for bot ESP and ESP-UDP
> with setkey. I need this for an own IKEv2 daemon which uses setkey
> command to configure IPsec. According to IKEv2 RFC, IKEv2
> implementations must be able to receive and process both
> UDP-encapsulated ESP and non-UDP-encapsulated ESP packets at any time.
>
> With setkey I can configure IPsec for either ESP-UDP or ESP, but not
> both.
>
> I tried following configuration:
>
> add 192.168.1.201 172.22.1.210 esp-udp 3292998917 -m tunnel -E
> aes-cbc 0xb9450e7f5dd22ac260535c5b5159c896
> -A hmac-sha1 0xe848877062bdbbc5cca13c279e64d91aa873ede3;
>
> add 192.168.1.201 172.22.1.210 esp 3292998917 -m tunnel -E aes-cbc
> 0xb9450e7f5dd22ac260535c5b5159c896
> -A hmac-sha1 0xe848877062bdbbc5cca13c279e64d91aa873ede3;
>
> spdadd 0.0.0.0/0 192.168.48.129/32 any -P in ipsec
> esp/tunnel/192.168.1.201-172.22.1.210/require;
>
> Unfortunately I get always an error (File Exists) when adding the
> second SA.

That error comes from your operating system kernel. Sounds like this is
a problem in there.

- Timo