[strongSwan-dev] IPSec Tunnel mode with NAT-T
Kaushal Bhandankar
kaushalgoa at gmail.com
Wed Aug 25 09:34:55 CEST 2010
Hi Martin,
I am running a test program ( which does a setsockopt with UDP_ENCAP ) in
the background.
UAC < ----- > P-CSCF ( Security association exist between these 2
elements, SAD/SPD updated at both ends. )
Still, I am not able to get the UDP Encapsulated packets on the UAC ( I can
see them on wireshark but I guess they get dropped in the kernel )
#define UDP_ENCAP 100
#define UDP_ENCAP_ESPINUDP 2
#define SOL_UDP 17
#define UDP_PORT 4500
main()
{
static int udp_enc_sck = 0;
int ret = 2;
if((udp_enc_sck = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
printf("\n Failed to open udp enc socket \n");
}
int type = UDP_ENCAP_ESPINUDP;
if(setsockopt(udp_enc_sck, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0) {
printf("\n Failed to set udp enc socket options \n");
}
struct sockaddr_storage addr;
struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
sin->sin_family = AF_INET;
sin->sin_addr.s_addr = INADDR_ANY;
sin->sin_port = htons(UDP_PORT);
ret = bind(udp_enc_sck, (struct sockaddr *)&addr, sizeof(addr));
if (ret < 0)
{
perror("\n Failed to bind udp enc socket \n");
}
while (1) { }
}
On Wed, Aug 25, 2010 at 12:54 PM, Martin Willi <martin at strongswan.org>wrote:
> Hi Kaushal,
>
> > Does that mean that I can run a "test program" and do a setsockopt on
> > the UDP socket in the "test program" and I will be able to receive
> > messages on the UE ?
>
> To enable UDP decapsulation of ESP packets, this option must be set on a
> single socket in any application, yes. It does not matter which
> application sets it. But the flag does just that, decapsulation of
> UDP-in-ESP packets, you still have to configure the SAs with UDP
> encapsulation.
>
> Regards
> Martin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20100825/42efb0f1/attachment.html>
More information about the Dev
mailing list