From: Prasanna N. <nr...@ho...> - 2006-10-25 02:10:30
|
<html><div style='background-color:'><DIV class=RTE>Hello,</DIV> <DIV class=RTE> </DIV> <DIV class=RTE>I am trying to setup multiple SAs (ESP, tunnel mode) between 2 gateways so that different transform sets are used based on just the port number?</DIV> <DIV class=RTE> <DIV class=RTE>For instance, traffic flowing over a specific UDP/TCP port has to be encrypted using 3des while other traffic has to be encrypted using aes.</DIV> <DIV class=RTE> </DIV></DIV> <DIV class=RTE>setkey does not allow a policy (spdadd) that has port number for tunnel ESP. It returns "Invalid argument" error. (man page does list this as a bug!). As a result I am not able to create a unique kernel policy for traffic over specific ports.</DIV> <DIV class=RTE> </DIV> <DIV class=RTE>Is there some other way to do this?</DIV> <DIV class=RTE> </DIV> <DIV class=RTE> <DIV class=RTE>We use racoon for IKE (on NetBSD 3.0).</DIV> <DIV class=RTE> </DIV></DIV> <DIV class=RTE>Thanks for any pointers,</DIV> <DIV class=RTE>Pras.</DIV></div></html> |
From: Prasanna N. <nr...@ho...> - 2006-10-25 15:18:30
|
Resending previous message in plain text. thx. Hello, I am trying to setup multiple SAs (ESP, tunnel mode) between 2 gateways so that different transform sets are used based on just the port number? For instance, traffic flowing over a specific UDP/TCP port has to be encrypted using 3des while other traffic has to be encrypted using aes. setkey does not allow a policy (spdadd) that has port number for tunnel ESP. It returns "Invalid argument" error. (man page does list this as a bug!). As a result I am not able to create a unique kernel policy for traffic over specific ports. Is there some other way to do this? We use racoon for IKE (on NetBSD 3.0). Thanks for any pointers, Pras. |
From: VANHULLEBUS Y. <va...@fr...> - 2006-10-25 15:24:29
|
On Wed, Oct 25, 2006 at 11:18:19AM -0400, Prasanna Nadhamuni wrote: > Resending previous message in plain text. thx. > > Hello, Hi. > I am trying to setup multiple SAs (ESP, tunnel mode) between 2 gateways so > that different transform sets are used based on just the port number? > For instance, traffic flowing over a specific UDP/TCP port has to be > encrypted using 3des while other traffic has to be encrypted using aes. > > setkey does not allow a policy (spdadd) that has port number for tunnel ESP. > It returns "Invalid argument" error. (man page does list this as a bug!). As > a result I am not able to create a unique kernel policy for traffic over > specific ports. > > Is there some other way to do this? > > We use racoon for IKE (on NetBSD 3.0). SPDs based on TCP/UDP ports doesn't work correctly for KAME stack (Free/NetBSD uses some variant of that stack), mainly because KAME developpers considered it can't work correctly (what to do for fragments, where we don't have informations about the src/dst ports ?). Yvan. |
From: Prasanna N <nr...@ho...> - 2006-10-31 16:20:00
|
But spdadd does allow policies that exclude ipsec for specific ports e.g. spdadd 10.1.128.245[xx] 0.0.0.0/0 any -P out none; So fragments may not be handled correctly in those cases? Thanks, Pras. >From: VANHULLEBUS Yvan <va...@fr...> >To: ips...@li... >Subject: Re: [Ipsec-tools-users] multiple SAs between same gateways >Date: Wed, 25 Oct 2006 17:24:13 +0200 > >On Wed, Oct 25, 2006 at 11:18:19AM -0400, Prasanna Nadhamuni wrote: > > Resending previous message in plain text. thx. > > > > Hello, > >Hi. > > > > I am trying to setup multiple SAs (ESP, tunnel mode) between 2 gateways >so > > that different transform sets are used based on just the port number? > > For instance, traffic flowing over a specific UDP/TCP port has to be > > encrypted using 3des while other traffic has to be encrypted using aes. > > > > setkey does not allow a policy (spdadd) that has port number for tunnel >ESP. > > It returns "Invalid argument" error. (man page does list this as a >bug!). As > > a result I am not able to create a unique kernel policy for traffic over > > specific ports. > > > > Is there some other way to do this? > > > > We use racoon for IKE (on NetBSD 3.0). > >SPDs based on TCP/UDP ports doesn't work correctly for KAME stack >(Free/NetBSD uses some variant of that stack), mainly because KAME >developpers considered it can't work correctly (what to do for >fragments, where we don't have informations about the src/dst ports ?). > > >Yvan. > >------------------------------------------------------------------------- >Using Tomcat but need to do more? Need to support web services, security? >Get stuff done quickly with pre-integrated technology to make your job >easier >Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >_______________________________________________ >Ipsec-tools-users mailing list >Ips...@li... >https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users |