[strongSwan-dev] manual manipulation the IPsec SA/SP database

krishna chaitanya krishnachaitanya.sanapala at gmail.com
Wed May 30 13:58:13 CEST 2012


Hi Andreas,

I do believe that IKEv2 charon daemon subscribes to XFRM events generated
by the linux kernel which are triggered by IPsec XFRM state limits.

So in case if its true, then charon should be aware of the changes done by
XFRM .. Please correct me . Thanks


On Wed, May 30, 2012 at 12:01 PM, krishna chaitanya <
krishnachaitanya.sanapala at gmail.com> wrote:

> HI Andreas,
>
> Thanks very much for quick response. I would love to have more
> clarifications on the below following.
>
> 1. About SAD :
>
> Adding an SA using a setkey :
>
> add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "123456789012123456789012";
>
> add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";
>
> I replicated the same in Strongswan in ipsec.conf file by adding it as a conn. I could configure everything using strongswan apart from the SPI.
>
> I understand that starter deamon is a configuration file parser and it would communicate the changes. Please help me about the SPI. Is is that strongswan uses the SPI allocated by kernel ?
>
>
> 2. About SPD:
>
> Adding an SPD by setkey :
>
> spdadd 10.0.0.216 10.0.0.11 any -P out ipsec
>            esp/transport//require
>            ah/transport//require;
>
> I tried a lot of documentation on how to configure a SP, but was unsuccessful.
>
> Can I build an userspace program registered with XFRM to add/delete/* ploicies for charon ? . Would that work
>
>
> On Tue, May 29, 2012 at 8:38 PM, Andreas Steffen <
> andreas.steffen at strongswan.org> wrote:
>
>> Hello,
>>
>> with strongSwan you are not supposed to manipulate the SAD/SPD
>> with an external command line tool as "setkey" or
>> "ip xfrm state/policy add" because the IKEv1/IKEv2 daemons will
>> not become aware of any external SAD/SPD changes. All changes
>> must be communicated through the strongSwan daemon interfaces.
>>
>> Regards
>>
>> Andreas
>>
>> On 29.05.2012 16:23, krishna chaitanya wrote:
>> > HI Team,
>> >
>> > I am new to strongswan. We are working on an implementation of IPsec.
>> >
>> > I earlier worked with racoon where I used setkey for SAD/SPD
>> manipulation.
>> >
>> > In strongswan I had configured the SA's using IPsec.conf file, but is
>> > there a tool where we could manipulate SAD/SPD using shell.
>> >
>> >
>> > Thanks,
>> > KC.Sanapala
>>
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120530/f92184d6/attachment.html>


More information about the Dev mailing list