Hello Grant, > That sort of surprises me. I got the impression that they could be > different. Obviously there would be undesireable behavior if the SA > only matched a subset of the traffic that the policy matched. Yes, if it is different then it may cause undesirable behavior. > But I have not tried this and don't have data to refute it. ACK. :-) > The only thing I can think of is possibly wanting to filter the traffic > matched by the policy SELECTOR / UPSEC by only allowing the traffic that > matches the SA SELECTOR / UPSEC. - I'm just thinking out loud at this > point. Yes, sort of that because in my testing, if SELECTOR / UPSEC is not same for SA and policy then traffic drops after matching policy and not finding corresponding SA. Use /proc/net/xfrm_state to statistics > The testing that I've done indicates that the reqid does need to match. > That being said, if the parameter is omitted, it defaults to 0. Thus a > reqid of 0 in the policy does match the reqid of 0 in the SA. I never used reqid, but digging more gave me indication that reqid is used for unique identification. Though it is not part of IPsec standard and only used by Linux implementation. > Would you please point to an example where you would have multiple > templates in the policy? Or point me to a document where I can do some > more reading? Please and thank you. Certainly I don't have an example but you can think of ESP over AH OR COMP over AH. So 2 templates with different proto can be used. Templates are applied in same order it is configured. -Ankit -----Original Message----- From: lartc-owner@xxxxxxxxxxxxxxx [mailto:lartc-owner@xxxxxxxxxxxxxxx] On Behalf Of Grant Taylor Sent: Monday, October 29, 2018 8:47 PM To: lartc@xxxxxxxxxxxxxxx Subject: Re: IPsec… On 10/28/2018 10:36 PM, Sinha, Ankit Kumar (HPE Aruba) wrote: > Hello Grant, Hi, > Please find replies inline, :-) > It is not possible. SELECTOR and UPSEC must be same for SA and policy. That sort of surprises me. I got the impression that they could be different. Obviously there would be undesireable behavior if the SA only matched a subset of the traffic that the policy matched. But I have not tried this and don't have data to refute it. > I am not aware of any specific motivation/possibility to do this. Though > I am keen to know that. The only thing I can think of is possibly wanting to filter the traffic matched by the policy SELECTOR / UPSEC by only allowing the traffic that matches the SA SELECTOR / UPSEC. - I'm just thinking out loud at this point. > It not always true that policy specifies the SA via reqid. reqid is > optional parameter but can be used when we have multiple templates in > policy to identify corresponding SA. As per my understanding only ID > which contains SPI is enough to map policy and SA. The testing that I've done indicates that the reqid does need to match. That being said, if the parameter is omitted, it defaults to 0. Thus a reqid of 0 in the policy does match the reqid of 0 in the SA. Would you please point to an example where you would have multiple templates in the policy? Or point me to a document where I can do some more reading? Please and thank you. > But I agree with you that for manual IPsec configuration there is no > need of addition SELECTOR / UPSEC in SA. I am not sure if ike may have > any possibility hence linux kernel supports it. In turn ip xfrm has > those options. ACK -- Grant. . . . unix || die