SELECTOR and UPSEC in state (SA) is an optional parameter. If one want to configure it for state it must match with what is given in policy SELECTOR and UPSEC.
You can very well use same state (SA) for multiple policy if you don't specify SELECTOR for state.
As per understanding SELECTOR and UPSEC options in state (SA) is given to make it more specific to policy.
-Ankit
-----Original Message-----
From: lartc-owner@xxxxxxxxxxxxxxx [mailto:lartc-owner@xxxxxxxxxxxxxxx] On Behalf Of Grant Taylor
Sent: Friday, October 26, 2018 6:50 AM
To: LARTC <lartc@xxxxxxxxxxxxxxx>
Subject: IPsec…
Does anyone have any experience with IPsec under Linux? Particularly without IKE (or ISAKMP)?
I’m trying to understand why both state (Security Associations) and policy have the option to match traffic. Specifically the SELECTOR and UPSPEC parameters in the ip-xfrm man page.
I’m trying to understand why the SELECTOR is used in the state (SA) DB. It seems like I could have a generic [1] state (SA) that is used by multiple policies, via reqid. I would then have the multiple policies match traffic via SELECTORs.
I.e. if I wanted to transport SMTP and IMAP through IPsec while not matching SSH between the machines. While reusing the same state (SA) for multiple policies.
[1] as generic as IPsec can be.
--
Grant. . . .
unix || die
