[strongSwan-dev] manual manipulation the IPsec SA/SP database

krishna chaitanya krishnachaitanya.sanapala at gmail.com
Wed May 30 08:31:00 CEST 2012


HI Andreas,

Thanks very much for quick response. I would love to have more
clarifications on the below following.

1. About SAD :

Adding an SA using a setkey :

add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "123456789012123456789012";

add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";

I replicated the same in Strongswan in ipsec.conf file by adding it as
a conn. I could configure everything using strongswan apart from the
SPI.

I understand that starter deamon is a configuration file parser and it
would communicate the changes. Please help me about the SPI. Is is
that strongswan uses the SPI allocated by kernel ?


2. About SPD:

Adding an SPD by setkey :

spdadd 10.0.0.216 10.0.0.11 any -P out ipsec
           esp/transport//require
           ah/transport//require;

I tried a lot of documentation on how to configure a SP, but was unsuccessful.

Can I build an userspace program registered with XFRM to add/delete/*
ploicies for charon ? . Would that work


On Tue, May 29, 2012 at 8:38 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hello,
>
> with strongSwan you are not supposed to manipulate the SAD/SPD
> with an external command line tool as "setkey" or
> "ip xfrm state/policy add" because the IKEv1/IKEv2 daemons will
> not become aware of any external SAD/SPD changes. All changes
> must be communicated through the strongSwan daemon interfaces.
>
> Regards
>
> Andreas
>
> On 29.05.2012 16:23, krishna chaitanya wrote:
> > HI Team,
> >
> > I am new to strongswan. We are working on an implementation of IPsec.
> >
> > I earlier worked with racoon where I used setkey for SAD/SPD
> manipulation.
> >
> > In strongswan I had configured the SA's using IPsec.conf file, but is
> > there a tool where we could manipulate SAD/SPD using shell.
> >
> >
> > Thanks,
> > KC.Sanapala
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120530/494b28b0/attachment.html>


More information about the Dev mailing list