[strongSwan-dev] ESP Sequence

Fri Feb 3 14:36:04 CET 2012

Any ideas?

2012/2/2 Daniel Palomares <palomaresdaniel at gmail.com>

> Well,
> I achieved to change ESP sequence manually by changing
> kernel_netlink_ipsec.c    as I told on my first email.
>
> I realized that packets changed their ESP Sequence counter to the number I
> wanted to thanks to wireshark.
> Now my question is, how can you ask the kernel what is the value of the
> ESP sequence counter at anytime?
>
> Do you know if "setkey" or "ip xfrm" are the appropriate commands?
> If yes: could you be explicit by telling what is the correct command that
> tells what is the value of the ESP sequence counters for each SA?.
>
> Thanks in advance again!
>
> Daniel
>
>
> 2012/2/1 Daniel Palomares <palomaresdaniel at gmail.com>
>
>> Concerning last email;
>>
>> I have noticed that during 'add_sa' METHOD in kernel_netlink_ipsec.c ,
>> there is a structure called xfrm_usersa_info where all SA information is
>> stored before sending it to kernel.
>> Is it possible to change manually the unsingned int "__u32 seq" in order
>> to establish this parameter manually?
>>
>> I have tried to change others parameters manually and It works (i.e.
>> changing the "__u32 reqid" by setting it to 4 or 10 etc...), but not with
>> "seq".
>>
>> Thanks,
>>
>> Daniel
>>
>>
>>
>>
>> 2012/1/31 Daniel Palomares <palomaresdaniel at gmail.com>
>>
>>> Hi All;
>>>
>>> I’m trying to do “roughly”, an IPsec context recovery for High
>>> Availability purposes and testing. I know that there is a RFC already done,
>>> by the way I wanted to learn how to manipulate ESP Sequence.
>>>
>>> What I do is the following:
>>> -    I establish a Transport Mode tunnel between a host and a gateway
>>> (done as any IKEv2 implementation would do).
>>> -    Then, on the gateway side, I erase the whole IPsec information
>>> concerning the SAs and Child’s and then I reinstall it again in the same
>>> gateway. (I coded this by myself on Strongswan).
>>> -    During reinstallation of the SA, the only parameter that I’m
>>> missing is the ESP Sequences.
>>>
>>> In order to establish this Sequence manually through the netlink message
>>> attributes I found that XFRMA_REPLAY_VAL would be the appropriate type to
>>> do so.
>>>
>>> The struct xfrm_replay_state should be modified in order to establish
>>> these values manually. I’m I right?
>>>
>>> What I tried was something like taking a random number (i.e. 14) and I
>>> wanted the reinstalled SA to have the ESP Sequence number 14 (just to tet
>>> how to manually change ESP Sequences)
>>>
>>> xfrm_replay_state replay;
>>>
>>> replay.seq = 14;
>>> replay.oseq =14;
>>> replay.bitmap = (Didn’t know which value to use)
>>>
>>> I did take some implementation from strongswan:
>>>
>>> +++++++++++++++++++++++++++++++++++++++++
>>> (This is added when installing the new SA in kernel_netlink_ipsec.c)
>>>
>>> (This is not going to be the case for all new SAs established, as I told
>>> before, I just want to know how to manipulate these ESP sequences manually)
>>>
>>> rthdr->rta_type = XFRMA_REPLAY_VAL;
>>> rthdr->rta_len= RTA_LENGTH(sizeof(struct xfrm_replay_state));
>>> if(hdr->nlmsg_len > sizeof(request))
>>>    {
>>> return FAILED;
>>>    }
>>> memcpy(RTA_DATA(rthdr, &replay, sizeof(replay));
>>> rthdr=XFRM_RTA_NEXT(rthdr);
>>>
>>> ++++++++++++++++++++++++++++++++++++++++++
>>>
>>> I think this piece of code is supposed to add the ESP Sequence manually
>>> when sending the message through the socket_xfrm.
>>>
>>> The SAD and SPD are installed correctly but not the ESP Sequence.
>>>
>>> Any ideas?
>>>
>>>
>>> Cheers;
>>>
>>> Daniel
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120203/1645d6b1/attachment.html>