>However, I'm not able to create an IPsec SA with ports specified. >I've been successful neither with setkey, nor ip xfrm state, nor programmatically using PF_KEY >messages. > >To sums it up: >---------------- >It should be, IMHO, possible to specify ports in an SA. It should be possible to create SAs which differs just in a port. >And their selection should be done via selectors (including ports). >There's a related bug (already fixed) against Solaris: >(http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6258318) > >Best Regards, >Jiri Klimes > Hello, nobody replies? Doesn't know/care?? Hmm, I have to answer myself. I've performed several experiments. And finally I have been successful in creating SAs with specific selectors (protocol ports, addresses). My conclusion is: a) If you want to use ports as selectors in SA you have to use XFRM (PF_KEY doesn't help here). b) Using iproute2's ip xfrm, it is possible to create 2 SAs which differs, just in SPI and source port in selector. When sending packets with the source ports, particular SAs are correctly used. c) Moreover, I've succeeded in creation of an SA with a selector specified by ports, but not protocol (respectively protocol 0). This is actually what I searched for. Now I am able to use the same SA for both UDP and TCP. However I had to patch iproute2, as it performs an check - specifying ports is allowed just for UDP, TCP, SCTP or DCCP. What remains is to learn netlink/xfrm to be able to handle SADB programmatically. Could somebody help with it? And perhaps comment my conclusions? Jiri Klimes -- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
