[strongSwan-dev] pfkey interface: mode is not filled in sadb_getspi

Tobias Brunner tobias at strongswan.org
Wed Nov 26 19:06:59 CET 2014


Hi Emeric,

> Why is the mode not set here?

With IKEv2 the resulting mode is not necessarily known to the initiator.
 For instance, an initiator might propose transport mode, the responder
is then free to decline that.  If it does tunnel mode will be used
automatically (unless the initiator is not happy with it and deletes the
SA).

> Hopefully in FreeBSD the mode (part of the index of a SA) is ignored when searching the previously created SA by sadb_getspi.

No, that's exactly part of the problem.  The mode is compared (unless
the existing SA has it set to any).  And it can't be changed with an
SADB_UPDATE message, which is why the output of setkey still shows
mode=any, even though the SADB_UPDATE message actually has the mode set.

So to end up with an SA with the proper mode we'd have to delete the
allocated SPI/SA and then install it like the outbound SA with SADB_ADD.
 I suppose we could do that but since the FreeBSD kernel doesn't care
what mode an SA has set when handling inbound traffic (it is
decapsulated automatically if the next header field in the ESP packet is
set to IPIP/IPV6), we use the regular GETSPI/UPDATE scheme, which by the
way results in the correct mode being set on Linux when PF_KEY is used
there.

Regards,
Tobias



More information about the Dev mailing list