Re: IPsec: Different ports pairs with different security associations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

as far as i thought, racoon did not supported fine grained selectors (i
am note sure as i dont use racoon). Which entries are in the SPD ? )

On Fri, 2003-08-22 at 18:14, Brian Buesker wrote:
> While doing some more IPsec testing on 2.6.0-test2 with Racoon as the 
> IKE daemon, I came across the following behavior which does not seem 
> correct. I was trying to have two different security associations 
> between the same pair of hosts, where the traffic between one UDP port 
> pair is protected with ESP, and the traffic between a different UDP port 
> pair is protected with AH. For example, if A and B are the IPv6 
> addresses of the two hosts, then I was trying to get A:3000 <-> B:2000 
> protected with ESP, and A:3500 <-> B:2000 protected with AH. I have used 
> the unique level for all of the SPD entries. As far as I can tell, the 
> IKE daemon is correctly triggered and establishes the security 
> associations correctly. In other words, there are two quick mode 
> exchanges. Using setkey -D shows 4 security associations, two ESP ones 
> and two AH ones with the appropriate end points. However, for whichever 
> SA that is established second, the reply packets use the incorrect 
> security association. For example, if the first security association 
> established is the A:3000 <-> B:2000 with ESP, then all of this traffic 
> is correctly protected by ESP, and traffic between A:3500 -> B:2000 is 
> protected by AH. However, from B:2000 -> A:3500, the ESP SA for B:2000 
> -> A:3000 is applied instead of the AH one. It seems that the kernel is 
> selecting the wrong SA to use to protect this traffic.
> 
> By the way, I tried the exact same setup using IPv4 addresses instead, 
> and this problem did not occur. Any ideas on why this would be?
> 
> Brian
> 
> -
> : send the line "unsubscribe linux-net" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
-- 

-> Jean-Francois Dive
--> jef@linuxbe.org

  There is no such thing as randomness.  Only order of infinite
  complexity. - Marquis de LaPlace - deterministic Principles - 


-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux