While doing some more IPsec testing on 2.6.0-test2 with Racoon as the
IKE daemon, I came across the following behavior which does not seem
correct. I was trying to have two different security associations
between the same pair of hosts, where the traffic between one UDP port
pair is protected with ESP, and the traffic between a different UDP port
pair is protected with AH. For example, if A and B are the IPv6
addresses of the two hosts, then I was trying to get A:3000 <-> B:2000
protected with ESP, and A:3500 <-> B:2000 protected with AH. I have used
the unique level for all of the SPD entries. As far as I can tell, the
IKE daemon is correctly triggered and establishes the security
associations correctly. In other words, there are two quick mode
exchanges. Using setkey -D shows 4 security associations, two ESP ones
and two AH ones with the appropriate end points. However, for whichever
SA that is established second, the reply packets use the incorrect
security association. For example, if the first security association
established is the A:3000 <-> B:2000 with ESP, then all of this traffic
is correctly protected by ESP, and traffic between A:3500 -> B:2000 is
protected by AH. However, from B:2000 -> A:3500, the ESP SA for B:2000
-> A:3000 is applied instead of the AH one. It seems that the kernel is
selecting the wrong SA to use to protect this traffic.
By the way, I tried the exact same setup using IPv4 addresses instead,
and this problem did not occur. Any ideas on why this would be?
Brian
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
