spd tunnel mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,
Please find the below example code for framing tunnel mode secured policy for a range of ipaddress.
I am not able to create a security policy .
Please help me to resolve this issue
INT32   ipsec_spd_add(INT32 dir, INT32 proto, INT32 level, INT8 * addr1,
UINT16 sPort, INT8 * addr2, UINT16 dPort, INT8 * proxy_addr) {
        INT8   *buf = NULL;
        INT32   off = 0;
        INT32   len = 0;
        INT32   so = 0;
        SEC_SOCKADDR_T sa1;
        SEC_SOCKADDR_T sa2;
        SEC_SOCKADDR_T proxy;
        struct sadb_address *proxy_ext;
        struct sadb_x_policy *policy;
        struct sadb_x_ipsecrequest *req;

        /*Address1 */
        xmemset(&sa1, 0, sizeof(SEC_SOCKADDR_T));
        sa1.sin_family = OSA_PF_INET;
        sa1.sin_port = htons(sPort);
        /* it returns zero, if input is invalid */
        if (SEC_INET_ATON(addr1, &(sa1.sin_addr)) == 0) {
            printf("invalid address\n");
            return IPSEC_ERROR;
        }

        /*Address2 */
        xmemset(&sa2, 0, sizeof(SEC_SOCKADDR_T));
        sa2.sin_family = OSA_PF_INET;
        sa2.sin_port = htons(dPort);
        /* it returns zero, if input is invalid */
        if (SEC_INET_ATON(addr2, &(sa2.sin_addr)) == 0) {
            printf("invalid address\n");
            return IPSEC_ERROR;
        }

        /*Proxy */
        if (proxy_addr) {
                        xmemset(&proxy, 0, sizeof(SEC_SOCKADDR_T));
            proxy.sin_family = OSA_PF_INET;
            proxy.sin_port = 0;
            /* it returns zero, if input is invalid */
            if (SEC_INET_ATON(proxy_addr, &(proxy.sin_addr)) == 0) {
                printf("invalid address\n");
                return IPSEC_ERROR;
            }
        }
        //buf = (INT8 *)xcalloc(1,1024);
        buf = xcalloc(1, 1024);
        if (buf == NULL) {
            printf("cant allocate enough memory\n");
            return IPSEC_ERROR;
        }
        xmemset(buf, 0, 1024);
        if ((so = pfkey_open()) < 0) {
            printf("pfkey_open() error\n");
            SEC_FREE(buf);
            return IPSEC_ERROR;
        }

        len = PFKEY_ALIGN8(sizeof(struct sadb_x_policy));

        //policy = (struct sadb_x_policy *)&pbuf->buf[pbuf->off];
        policy = (struct sadb_x_policy *)&buf[off];
        xmemset(policy, 0, sizeof(*policy));
        policy->sadb_x_policy_len = PFKEY_UNIT64(len);
        /* update later */
        policy->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
        policy->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
        policy->sadb_x_policy_dir = dir;    //IPSEC_DIR_OUTBOUND;

        off += len;

        len = PFKEY_ALIGN8(sizeof(struct sadb_x_ipsecrequest));

        req = (struct sadb_x_ipsecrequest *)&buf[off];
        xmemset(req, 0, sizeof(struct sadb_x_ipsecrequest));
        req->sadb_x_ipsecrequest_len = len; /* updated later */
        req->sadb_x_ipsecrequest_proto = proto;
req->sadb_x_ipsecrequest_mode =(proxy_addr == NULL ? IPSEC_MODE_TRANSPORT
             : IPSEC_MODE_TUNNEL);
               req->sadb_x_ipsecrequest_level = level;

        off += len;

        if (proxy_addr) {
            len=PFKEY_ALIGN8(sizeof(struct sadb_address));
             proxy_ext=(struct sadb_address*)&buf[off];
            xmemset(proxy_ext,0,sizeof(struct sadb_address));
            proxy_ext->sadb_address_len=PFKEY_UNIT64(len);
            proxy_ext->sadb_address_exttype=SADB_EXT_ADDRESS_PROXY;
            off +=len;
printf("\n ############ Filling proxy_addr message ##########"); //len = PFKEY_ALIGN8(proxy->sa_len);
            len = PFKEY_ALIGN8(sizeof(SA));
            xmemset(&buf[off], 0, len);
            //xmemcpy(&pbuf->buf[pbuf->off], proxy, proxy->sa_len);
            xmemcpy(&buf[off], &proxy, sizeof(SA));
            req->sadb_x_ipsecrequest_len += len;
            off += len;
        }

        policy->sadb_x_policy_len = PFKEY_UNIT64(off);

if ((pfkey_send_spdadd(so, (SA *) & sa1, 32, (SA *) & sa2, 32, 255,
                        (caddr_t) buf, off, 0)) < 0) {
            printf("pfkey_send_spdadd() error\n");
            SEC_FREE(buf);
            return IPSEC_ERROR;
        }
        free(buf);
        return IPSEC_SUCCESS;
}

Thanks and Regards
Naveen

_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]