[strongSwan-dev] pfkey interface: mode is not filled in sadb_getspi

[Emeric POUPON]

Hi,

I noticed when dumping my SAD using setkey that the mode was not properly filled in for the inbound SA :

setkey -D
192.168.2.229 192.168.2.231 
	esp mode=any spi=3376642226(0xc94378b2) reqid=1(0x00000001)
..
192.168.2.231 192.168.2.229 
	esp mode=tunnel spi=3339957978(0xc713b6da) reqid=1(0x00000001)
...

Actually, in FreeBSD the mode is obtained from the sadb_x_sa2 extension of the sadb_getspi message.

Strongswan doesn't set anything (0), that is why it is shown as 'mode=any'.
In get_spi_internal:
...
        sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
        sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
        sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
        sa2->sadb_x_sa2_reqid = reqid;  
        PFKEY_EXT_ADD(msg, sa2); 
...

Why is the mode not set here?
Hopefully in FreeBSD the mode (part of the index of a SA) is ignored when searching the previously created SA by sadb_getspi.

I'm not sure about the fix to be done:
- put the mode in strongswan's sadb_getspi sent message
- erase the mode later in the kernel using the sadb_update message.

Note racoon does put the correct mode in the sadbxsa2 extension.
This seems to be safer.

Best Regards,

Emeric