[strongSwan-dev] ESP Sequence

Daniel Palomares palomaresdaniel at gmail.com
Tue Jan 31 18:00:56 CET 2012

Hi All;

I’m trying to do “roughly”, an IPsec context recovery for High Availability
purposes and testing. I know that there is a RFC already done, by the way I
wanted to learn how to manipulate ESP Sequence.

What I do is the following:
-    I establish a Transport Mode tunnel between a host and a gateway (done
as any IKEv2 implementation would do).
-    Then, on the gateway side, I erase the whole IPsec information
concerning the SAs and Child’s and then I reinstall it again in the same
gateway. (I coded this by myself on Strongswan).
-    During reinstallation of the SA, the only parameter that I’m missing
is the ESP Sequences.

In order to establish this Sequence manually through the netlink message
attributes I found that XFRMA_REPLAY_VAL would be the appropriate type to
do so.

The struct xfrm_replay_state should be modified in order to establish these
values manually. I’m I right?

What I tried was something like taking a random number (i.e. 14) and I
wanted the reinstalled SA to have the ESP Sequence number 14 (just to tet
how to manually change ESP Sequences)

xfrm_replay_state replay;

replay.seq = 14;
replay.oseq =14;
replay.bitmap = (Didn’t know which value to use)

I did take some implementation from strongswan:

(This is added when installing the new SA in kernel_netlink_ipsec.c)

(This is not going to be the case for all new SAs established, as I told
before, I just want to know how to manipulate these ESP sequences manually)

rthdr->rta_type = XFRMA_REPLAY_VAL;
rthdr->rta_len= RTA_LENGTH(sizeof(struct xfrm_replay_state));
if(hdr->nlmsg_len > sizeof(request))
return FAILED;
memcpy(RTA_DATA(rthdr, &replay, sizeof(replay));


I think this piece of code is supposed to add the ESP Sequence manually
when sending the message through the socket_xfrm.

The SAD and SPD are installed correctly but not the ESP Sequence.

Any ideas?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120131/a9662436/attachment.html>

More information about the Dev mailing list