On 10/28/2018 10:36 PM, Sinha, Ankit Kumar (HPE Aruba) wrote:
Hello Grant,
Hi,
Please find replies inline,
:-)
It is not possible. SELECTOR and UPSEC must be same for SA and policy.
That sort of surprises me. I got the impression that they could be different. Obviously there would be undesireable behavior if the SA only matched a subset of the traffic that the policy matched.
But I have not tried this and don't have data to refute it.
I am not aware of any specific motivation/possibility to do this. Though I am keen to know that.
The only thing I can think of is possibly wanting to filter the traffic matched by the policy SELECTOR / UPSEC by only allowing the traffic that matches the SA SELECTOR / UPSEC. - I'm just thinking out loud at this point.
It not always true that policy specifies the SA via reqid. reqid is optional parameter but can be used when we have multiple templates in policy to identify corresponding SA. As per my understanding only ID which contains SPI is enough to map policy and SA.
The testing that I've done indicates that the reqid does need to match. That being said, if the parameter is omitted, it defaults to 0. Thus a reqid of 0 in the policy does match the reqid of 0 in the SA.
Would you please point to an example where you would have multiple templates in the policy? Or point me to a document where I can do some more reading? Please and thank you.
But I agree with you that for manual IPsec configuration there is no need of addition SELECTOR / UPSEC in SA. I am not sure if ike may have any possibility hence linux kernel supports it. In turn ip xfrm has those options.
ACK -- Grant. . . . unix || die
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature