Concerning last email;<br><br>I have noticed that during 'add_sa' METHOD in kernel_netlink_ipsec.c , there is a structure called xfrm_usersa_info where all SA information is stored before sending it to kernel. <br>
Is it possible to change manually the unsingned int "__u32 seq" in order to establish this parameter manually? <br><br>I have tried to change others parameters manually and It works (i.e. changing the "__u32 reqid" by setting it to 4 or 10 etc...), but not with "seq". <br>
<br>Thanks,<br><br>Daniel<br><br>
<br><br><div class="gmail_quote">2012/1/31 Daniel Palomares <span dir="ltr"><<a href="mailto:palomaresdaniel@gmail.com" target="_blank">palomaresdaniel@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi All;<br><br>I’m trying to do “roughly”, an IPsec context recovery for High Availability purposes and testing. I know that there is a RFC already done, by the way I wanted to learn how to manipulate ESP Sequence.<br><br>
What I do is the following:<br>- I establish a Transport Mode tunnel between a host and a gateway (done as any IKEv2 implementation would do). <br>- Then, on the gateway side, I erase the whole IPsec information concerning the SAs and Child’s and then I reinstall it again in the same gateway. (I coded this by myself on Strongswan).<br>
- During reinstallation of the SA, the only parameter that I’m missing is the ESP Sequences. <br><br>In order to establish this Sequence manually through the netlink message attributes I found that XFRMA_REPLAY_VAL would be the appropriate type to do so. <br>
<br>The struct xfrm_replay_state should be modified in order to establish these values manually. I’m I right? <br><br>What I tried was something like taking a random number (i.e. 14) and I wanted the reinstalled SA to have the ESP Sequence number 14 (just to tet how to manually change ESP Sequences)<br>
<br>xfrm_replay_state replay;<br><br>replay.seq = 14;<br>replay.oseq =14;<br>replay.bitmap = (Didn’t know which value to use) <br><br>I did take some implementation from strongswan:<br><br>+++++++++++++++++++++++++++++++++++++++++ <br>
(This is added when installing the new SA in kernel_netlink_ipsec.c)<br><br>(This is not going to be the case for all new SAs established, as I told before, I just want to know how to manipulate these ESP sequences manually)<br>
<br>rthdr->rta_type = XFRMA_REPLAY_VAL;<br>rthdr->rta_len= RTA_LENGTH(sizeof(struct xfrm_replay_state));<br>if(hdr->nlmsg_len > sizeof(request))<br> {<br>return FAILED;<br> }<br>memcpy(RTA_DATA(rthdr, &replay, sizeof(replay));<br>
rthdr=XFRM_RTA_NEXT(rthdr);<br><br>++++++++++++++++++++++++++++++++++++++++++<br><br>I think this piece of code is supposed to add the ESP Sequence manually when sending the message through the socket_xfrm. <br><br>The SAD and SPD are installed correctly but not the ESP Sequence. <br>
<br>Any ideas? <br><br><br>Cheers;<br><br>Daniel<br>
</blockquote></div><br>