[strongSwan-dev] ESP Sequence

Daniel Palomares palomaresdaniel at gmail.com
Wed Feb 8 11:29:46 CET 2012


Hello all;

I continue experiencing troubles when getting the ESP Sequence Counter.

I have reused code from the get_replay_state() function as Willi told me.

Unfortunately, once through the SWITCH statement of this function,  the
xfrm message that I'm getting is NLMSG_ERROR of the type "No such process
(3)" for SPI ..."
During this error I noticed that the displayed SPI in  the LOG is correct.

Does the "No such process(3)" means that an SA is not found or that the
message I'm sending to kernel is not the appropriate one?

To uniquely identify the SA I'm using the spi, the protocol (50 for ESP)
and and the destination source; as well as the family of the destination
address in xfrm_aevent_id.

Any help will be sincerely appreciate!

Thanks again,

Daniel




2012/2/3 Daniel Palomares <palomaresdaniel at gmail.com>

> Hi Martin,
>
> Thanks for your reply!
>
> Yes, I did have a look , and I did modify the replay state by re-using the
> methods during the update_sa call.
> I was just wondering if there is a way through ip xfrm or setkey or other,
> to monitor the ESP sequence?
>
> I mean, if I am an administrator and I wish to monitor the ESP counters,
> how would I do?
> When you run "ipsec statusall" could you find such information? and if
> not, is there anyway then?
>
> Thanks
>
> Daniel
>
>
>
> 2012/2/3 Martin Willi <martin at strongswan.org>
>
>> Hello Daniel,
>>
>> > how can you ask the kernel what is the value of the ESP sequence
>> > counter at anytime?
>>
>> Have a look at the get_replay_state() function at [1], it gets the
>> replay state from a kernel SA. We use it to adjust the replay state
>> after updating addresses of an SA.
>>
>> Regards
>> Martin
>>
>> [1]
>> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c#l1494
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120208/5b34902d/attachment.html>


More information about the Dev mailing list