Hello,
I create IPsec SAs manually.
However, I'm not able to create an IPsec SA with ports specified.
I've been successful neither with setkey, nor ip xfrm state, nor programmatically using PF_KEY
messages.
I use Linux kernel 2.6.25.
1) setkey (using ipsec-tools version 0.7)
add 10.0.11.41[1234] 10.0.11.33[4321] esp 0x190 -E 3des-cbc 0x79b5d6e36dda9da4982f51293767d6108649ced573c8349e;
2) PF_KEY messages
I've set protocol to UDP
And src and dst address populated with ports.
3) ip xfrm (iproute2 2.6.22)
ip xfrm state add src 10.0.11.41 dst 10.0.11.33 proto esp spi 400 enc des3_ede 0x79b5d6e36dda9da4982f51293767d6108649ced573c8349e sel pro
to udp sport 1234 dport 4321
4)Programatically using netlink
Maybe this is the right way, but I am not familiar with NETLINK_XFRM.
Anyway, is there any sensible documentation???
Nevertheless, dumping SAs using setkey -Dp, still shows ports as zero
10.0.11.41[0] 10.0.11.33[0]
esp mode=transport spi=400(0x00000190) reqid=0(0x00000000)
E: 3des-cbc 79b5d6e3 6dda9da4 982f5129 3767d610 8649ced5 73c8349e
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Sep 30 11:30:19 2008 current: Sep 30 11:30:25 2008
diff: 6(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=23974 refcnt=0
I want to use a particular SA for a particular packet. That's why I need to set ports in SAs.
I am aware that it could be somehow simulated via policy rules, which are specified as unique and as such bound to an SA.
However this approach seems not very helpful, because there's no standard way to handle SPD programmaticaly. Moreover it would
lead to necessity to take care of both SADB and SPD in the application and keep them in sync.
Note:
I've examined that on solaris this is possible. (I think they extended PF_KEY)
ipseckey> add esp spi 1 src 127.0.0.1 dst 127.0.0.2 sport 1234 dport 4321 encralg aes encrkey 12345678123456781234567812345678
ipseckey> dump
Base message (version 2) type DUMP, SA type ESP.
Message length 136 bytes, seq=3, pid=22027.
SA: SADB_ASSOC spi=0x1, replay=0, state=MATURE
SA: Encryption algorithm = aes-cbc
SA: flags=0x40000000 < X_UNIQUE >
SRC: Source address (proto=0/<unspecified>)
SRC: AF_INET: port 1234, 127.0.0.1 (localhost).
DST: Destination address (proto=0/<unspecified>)
DST: AF_INET: port 4321, 127.0.0.2 <unknown>.
EKY: Encryption key.
EKY: 12345678123456781234567812345678/128
LT: Lifetime information
CLT: 0 bytes protected, 0 allocations used.
CLT: SA added at time Tue Sep 30 11:57:02 2008
CLT: Time now is Tue Sep 30 11:57:06 2008
To sums it up:
----------------
It should be, IMHO, possible to specify ports in an SA. It should be possible to create SAs which differs just in a port.
And their selection should be done via selectors (including ports).
There's a related bug (already fixed) against Solaris:
(http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6258318)
Best Regards,
Jiri Klimes
--
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
