[strongSwan] Query regarding route based security

vivek bairathi bairathi.vivek at gmail.com
Tue Nov 2 08:06:49 CET 2010 

On Tue, Nov 2, 2010 at 12:35 PM, vivek bairathi <bairathi.vivek at gmail.com>wrote:

> Hi Andreas,
>
> Thanks for your quick reply.
>
> I have some more queries regarding kernel_netlink interface:
>
> If I use auto=route in ipsec.conf file for a connection:
> Q1. Does the stack after reading the ipsec.conf file for this connection
> installs SPD and route entries into the kernel? If yes then is the SPI and
> reqid written in SPD are the one that is sent to IKEv2 stack by kernel in
> XFRM ACQUIRE message?
>
> If I do not use auto=route in ipsec.conf file for a connection:
> Q2. I send an XFRM ACQUIRE message to IKEv2 stack using my application will
> the IKEv2 stack be able to trigger an IKE/IPSEC SA. I think in this case
> there will be no kernel traps installed by IKEv2 stack. So will it be able
> to trigger an SA for that connection?
>
> Thanks & Regards,
> Vivek
>
>   On Mon, Nov 1, 2010 at 6:45 PM, Andreas Steffen <
> andreas.steffen at strongswan.org> wrote:
>
>> Hello Vivek,
>>
>> this event is signalled by an XFRM ACQUIRE message via the netlink
>> kernel interface:
>>
>>
>> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=8cc9a6283014a9b237f8a000016b2146b73742ac;hb=HEAD#l514
>>
>> The netlink socket is registered to receive this kind of events:
>>
>>
>> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=8cc9a6283014a9b237f8a000016b2146b73742ac;hb=HEAD#l2199
>>
>> Best regards
>>
>> Andreas
>>
>> On 11/01/2010 01:34 PM, vivek bairathi wrote:
>> > Hi All,
>> >
>> > I want to know that if I set auto=route in ipsec.conf for a connection.
>> >
>> > The IKEv2 stack will install kernel traps for that connection and will
>> > initiate an SA only when it gets a packet between the leftsubnet and the
>> > rightsubnet.
>> >
>> > For this the IKEv2 stack needs trigger from kernel so which interface
>> > will be used to tell IKEv2 Stack that a packet has hit its kernel traps
>> > and now you have to init an IKE_SA?
>> >
>> > Thanks & Regards
>> > Vivek
>>
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101102/0ab5d71e/attachment.html>

More information about the Users mailing list