[strongSwan-dev] kernel SPD/SAD tool
Goshen, Ido (Ido)
igoshen at avaya.com
Mon May 30 14:00:03 CEST 2011
Hi Andreas,
Thanx for the quick response, and for exposing me to the "ip xfrm"
option. I like it a lot better than mixing ipsec-tools setkey with
StrongSWAN.
As you suggested I would rather not having to manually touch the
SPD/SAD. But I'm having a problem when pluto crashes it leaves behind
entries in the kernel that may break further negotiation after pluto is
restarted.
More details were posted in:
1. http://www.mail-archive.com/users@lists.strongswan.org/msg02447.html
2. https://lists.strongswan.org/pipermail/users/2011-May/006236.html
Is it known issue?
Any ideas how to fix/recover?
Thanx,
- Ido
-----Original Message-----
From: dev-bounces+igoshen=avaya.com at lists.strongswan.org
[mailto:dev-bounces+igoshen=avaya.com at lists.strongswan.org] On Behalf Of
dev-request at lists.strongswan.org
Sent: Monday, May 30, 2011 1:00 PM
To: dev at lists.strongswan.org
Subject: Dev Digest, Vol 16, Issue 5
Send Dev mailing list submissions to
dev at lists.strongswan.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.strongswan.org/mailman/listinfo/dev
or, via email, send a message with subject or body 'help' to
dev-request at lists.strongswan.org
You can reach the person managing the list at
dev-owner at lists.strongswan.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dev digest..."
Today's Topics:
1. kernel SPD/SAD tool (Goshen, Ido (Ido))
2. Re: kernel SPD/SAD tool (Andreas Steffen)
----------------------------------------------------------------------
Message: 1
Date: Mon, 30 May 2011 10:07:43 +0200
From: "Goshen, Ido (Ido)" <igoshen at avaya.com>
Subject: [strongSwan-dev] kernel SPD/SAD tool
To: <dev at lists.strongswan.org>
Message-ID:
<EDC652A26FB23C4EB6384A4584434A04032BC954 at 307622ANEX5.global.avaya.com>
Content-Type: text/plain; charset="us-ascii"
Hi,
Does StrongSWAN supply a shell tool like "setkey" from ipsec-tools to
monitor and/or manipulate the kernel's SPD/SAD or it's all done
programmatically via hydra (netlink plugin in my case)?
Thanx,
- Ido
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.strongswan.org/pipermail/dev/attachments/20110530/55a852a3/
attachment-0001.html
------------------------------
Message: 2
Date: Mon, 30 May 2011 11:50:21 +0200
From: Andreas Steffen <andreas.steffen at strongswan.org>
Subject: Re: [strongSwan-dev] kernel SPD/SAD tool
To: "Goshen, Ido (Ido)" <igoshen at avaya.com>
Cc: dev at lists.strongswan.org
Message-ID: <4DE3685D.9050003 at strongswan.org>
Content-Type: text/plain; charset=windows-1252; format=flowed
Hi Ido,
strongSwan manages the kernel SPD/SAD via the XFRM Netlink kernel
interface. The built-in "ipsec statusall" command can be used to
monitor the established IPsec SAs but if you want to see all the
details you can also use "setkey" or "ip xfrm state|policy".
If you manipulate SPD/SAD entries via "setkey" or "ip xfrm" then you
are on your own since strongSwan will not be aware of any such changes.
Regards
Andreas
On 05/30/2011 10:07 AM, Goshen, Ido (Ido) wrote:
> Hi,
>
> Does StrongSWAN supply a shell tool like ?setkey? from ipsec-tools to
> monitor and/or manipulate the kernel?s SPD/SAD or it?s all done
> programmatically via hydra (netlink plugin in my case)?
>
> Thanx,
>
> -Ido
>
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
------------------------------
_______________________________________________
Dev mailing list
Dev at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev
End of Dev Digest, Vol 16, Issue 5
**********************************
More information about the Dev
mailing list