[strongSwan] Query regarding route based security

Andreas Steffen andreas.steffen at strongswan.org
Tue Nov 2 09:39:01 CET 2010

Hi Vivek,

see my inline comments:

On 02.11.2010 08:05, vivek bairathi wrote:
> Hi Andreas,
> Thanks for your quick reply.
> I have some more queries regarding kernel_netlink interface:
> If I use auto=route in ipsec.conf file for a connection:
> Q1. Does the stack after reading the ipsec.conf file for this connection
> installs SPD and route entries into the kernel? If yes then is the SPI
> and reqid written in SPD are the one that is sent to IKEv2 stack by
> kernel in XFRM ACQUIRE message?
An installed IPsec policy doesn't have an SPI. It is identified by
the reqid assigned by the IKEv2 daemon and this reqid is in fact
returned by the XFM ACQUIRE message.

> If I do not use auto=route in ipsec.conf file for a connection:
> Q2. I send an XFRM ACQUIRE message to IKEv2 stack using my application
> will the IKEv2 stack be able to trigger an IKE/IPSEC SA. I think in this
> case there will be no kernel traps installed by IKEv2 stack. So will it
> be able to trigger an SA for that connection?
no, connection setup will be triggered only if the reqid is known by
the IKEv2 daemon, i.e. you must use auto=route to create the reqid.
Using a fixed reqid=<value> in the connection definition helps because
if you set installpolicy=no, and let the IPsec policy be created by
your application then you have much more control that the reqids match.

Have a look at my Mobile IPv6 example where the mipd daemon creates
the IPsec policies and triggers the IKEv2 daemon via XFRM ACQUIRE and
XFRM MIGRATE messages:


> Thanks & Regards,
> Vivek

Best regards


> On Mon, Nov 1, 2010 at 6:45 PM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
>     Hello Vivek,
>     this event is signalled by an XFRM ACQUIRE message via the netlink
>     kernel interface:
>     http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=8cc9a6283014a9b237f8a000016b2146b73742ac;hb=HEAD#l514
>     The netlink socket is registered to receive this kind of events:
>     http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=8cc9a6283014a9b237f8a000016b2146b73742ac;hb=HEAD#l2199
>     Best regards
>     Andreas
>     On 11/01/2010 01:34 PM, vivek bairathi wrote:
>     > Hi All,
>     >
>     > I want to know that if I set auto=route in ipsec.conf for a
>     connection.
>     >
>     > The IKEv2 stack will install kernel traps for that connection and will
>     > initiate an SA only when it gets a packet between the leftsubnet
>     and the
>     > rightsubnet.
>     >
>     > For this the IKEv2 stack needs trigger from kernel so which interface
>     > will be used to tell IKEv2 Stack that a packet has hit its kernel
>     traps
>     > and now you have to init an IKE_SA?
>     >
>     > Thanks & Regards
>     > Vivek

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list