[strongSwan-dev] Re: ESP Sequence

Daniel Palomares palomaresdaniel at gmail.com
Wed Feb 1 10:55:37 CET 2012


Concerning last email;

I have noticed that during 'add_sa' METHOD in kernel_netlink_ipsec.c ,
there is a structure called xfrm_usersa_info where all SA information is
stored before sending it to kernel.
Is it possible to change manually the unsingned int "__u32 seq" in order to
establish this parameter manually?

I have tried to change others parameters manually and It works (i.e.
changing the "__u32 reqid" by setting it to 4 or 10 etc...), but not with
"seq".

Thanks,

Daniel



2012/1/31 Daniel Palomares <palomaresdaniel at gmail.com>

> Hi All;
>
> I’m trying to do “roughly”, an IPsec context recovery for High
> Availability purposes and testing. I know that there is a RFC already done,
> by the way I wanted to learn how to manipulate ESP Sequence.
>
> What I do is the following:
> -    I establish a Transport Mode tunnel between a host and a gateway
> (done as any IKEv2 implementation would do).
> -    Then, on the gateway side, I erase the whole IPsec information
> concerning the SAs and Child’s and then I reinstall it again in the same
> gateway. (I coded this by myself on Strongswan).
> -    During reinstallation of the SA, the only parameter that I’m missing
> is the ESP Sequences.
>
> In order to establish this Sequence manually through the netlink message
> attributes I found that XFRMA_REPLAY_VAL would be the appropriate type to
> do so.
>
> The struct xfrm_replay_state should be modified in order to establish
> these values manually. I’m I right?
>
> What I tried was something like taking a random number (i.e. 14) and I
> wanted the reinstalled SA to have the ESP Sequence number 14 (just to tet
> how to manually change ESP Sequences)
>
> xfrm_replay_state replay;
>
> replay.seq = 14;
> replay.oseq =14;
> replay.bitmap = (Didn’t know which value to use)
>
> I did take some implementation from strongswan:
>
> +++++++++++++++++++++++++++++++++++++++++
> (This is added when installing the new SA in kernel_netlink_ipsec.c)
>
> (This is not going to be the case for all new SAs established, as I told
> before, I just want to know how to manipulate these ESP sequences manually)
>
> rthdr->rta_type = XFRMA_REPLAY_VAL;
> rthdr->rta_len= RTA_LENGTH(sizeof(struct xfrm_replay_state));
> if(hdr->nlmsg_len > sizeof(request))
>    {
> return FAILED;
>    }
> memcpy(RTA_DATA(rthdr, &replay, sizeof(replay));
> rthdr=XFRM_RTA_NEXT(rthdr);
>
> ++++++++++++++++++++++++++++++++++++++++++
>
> I think this piece of code is supposed to add the ESP Sequence manually
> when sending the message through the socket_xfrm.
>
> The SAD and SPD are installed correctly but not the ESP Sequence.
>
> Any ideas?
>
>
> Cheers;
>
> Daniel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120201/43001242/attachment.html>


More information about the Dev mailing list