Thread: Re: [Ipsec-tools-devel] issue with outbound SA selection (Page 2)
Brought to you by:
mit_warlord,
netbsd
From: Naveen BN <nav...@gl...> - 2009-11-12 06:08:25
|
Hi Timo, Thanks for the information. Problem can be solved by using the below command I created the SA using this command and tested for different failure scenario when pf_key or setkey was used where SA selection was not based on ports. I found it working fine for session based SA. ip xfrm state add src 172.16.8.36 dst 172.16.8.38 proto esp spi 0x800 mode tunnel reqid 0 replay-window 32 auth sha1 0xecf02a5cf6568556e1bdcd961c7ec3f92afd01cc enc aes 0x5c0cfa9672ce67ba545b593076dfb278 sel src 172.16.8.36 dst 172.16.8.38 proto udp dport 300 please refer http://man.he.net/man8/ip I also saw that there is reqid [ with reference to your response ]in pf_key API /* structure to be used during SPD ADD */ struct sadb_x_ipsecrequest { uint16_t sadb_x_ipsecrequest_len; uint16_t sadb_x_ipsecrequest_proto; uint8_t sadb_x_ipsecrequest_mode; uint8_t sadb_x_ipsecrequest_level; uint16_t sadb_x_ipsecrequest_reserved1; uint32_t sadb_x_ipsecrequest_reqid; uint32_t sadb_x_ipsecrequest_reserved2; } __attribute__ ((packed)); and Can I use the below structure to write an SA to SADB with the corresponding reqid in the policy or is there any other structure exists to do the same or it is not possible using PF_KEY Kernel Interface API. struct sadb_x_sa2 { uint16_t sadb_x_sa2_len; uint16_t sadb_x_sa2_exttype; uint8_t sadb_x_sa2_mode; uint8_t sadb_x_sa2_reserved1; uint16_t sadb_x_sa2_reserved2; uint32_t sadb_x_sa2_sequence; uint32_t sadb_x_sa2_reqid; } __attribute__ ((packed)); Regards Naveen Timo Teräs wrote: > Naveen BN wrote: >> I solved the issue for creating the sa using ip xfrm , but i how can >> i set the ports for the SA. >> Is it possible only with the xfrm api or can we do the same with ip >> xfrm state add command also, >> just to check in command line before starting to use xfrm interface >> in program. > > Use the "reqid" field. It's a kernel internal variable. If it's specified > in policy, the state must have matching reqid. You should not need to > set any selector on the state then. Instead the kernel just looks up > the state to use based on reqid, and the states end up using the > selectors > of the policy. > > This is also the only option if you want portA and portB to share SA, > but portC to not share it. > > - Timo > |
From: Milan P. S. <mp...@ar...> - 2009-10-27 15:31:35
|
On Tue, 2009-10-27 at 16:28, Naveen BN wrote: > I have a problem using SA with selectors based on <src IP>, <dest > IP> and <dst port> for outbound traffic. > I have written two out bound SA's for the same destination IP with > different destination port, but I am seeing > wrong SA has been selected for outbound traffic. My concern is why > the SA is not getting selected based on > ports mentioned security policy. > > FYI.. > content of file setkey.conf > /************************* start setkey.conf ************************/ > flush; > spdflush; > > add 172.16.8.36 172.16.8.38[*800]* esp 0x201 -m tunnel -E 3des-cbc > 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 > -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; > > add 172.16.8.38[500] 172.16.8.36 esp 0x301 -m tunnel -E 3des-cbc > 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df > -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b; > > add 172.16.8.36 172.16.8.38[*500] *esp 0x208 -m tunnel -E 3des-cbc > 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 > -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; > > # Security policies > spdadd 172.16.8.36 172.16.8.38[*800]* esp -P out ipsec > esp/tunnel/172.16.8.36-172.16.8.38/require; > > spdadd 172.16.8.38[*800] *172.16.8.36 esp -P in ipsec > esp/tunnel/172.16.8.38-172.16.8.36/require; > /************************* end setkey.conf ************************/ I may be wrong, but I think that wildcard (*, asterisk) in port specification is not allowed. > *When a packet is sent to dest port 800 , SA which is getting > selected is 0x208[spi] with dstport 500 instead of 0x201[spi] > **with dstport 800 instead**.* > > Please provide the criteria for outboud SA selection, please guide > me regarding this issue . > My Linux kernel version is 2.6.23.1-42.fc8 -- Kind regards, Milan -------------------------------------------------- Arvanta, IT Security http://www.arvanta.net Please do not send me e-mail containing HTML code. |