[strongSwan] Query regarding route based security

Andreas Steffen andreas.steffen at strongswan.org
Tue Nov 2 09:39:01 CET 2010


Hi Vivek,

see my inline comments:

On 02.11.2010 08:05, vivek bairathi wrote:
> Hi Andreas,
>  
> Thanks for your quick reply.
>  
> I have some more queries regarding kernel_netlink interface:
>  
> If I use auto=route in ipsec.conf file for a connection:
> Q1. Does the stack after reading the ipsec.conf file for this connection
> installs SPD and route entries into the kernel? If yes then is the SPI
> and reqid written in SPD are the one that is sent to IKEv2 stack by
> kernel in XFRM ACQUIRE message?
>
An installed IPsec policy doesn't have an SPI. It is identified by
the reqid assigned by the IKEv2 daemon and this reqid is in fact
returned by the XFM ACQUIRE message.

> If I do not use auto=route in ipsec.conf file for a connection:
> Q2. I send an XFRM ACQUIRE message to IKEv2 stack using my application
> will the IKEv2 stack be able to trigger an IKE/IPSEC SA. I think in this
> case there will be no kernel traps installed by IKEv2 stack. So will it
> be able to trigger an SA for that connection?
>
no, connection setup will be triggered only if the reqid is known by
the IKEv2 daemon, i.e. you must use auto=route to create the reqid.
Using a fixed reqid=<value> in the connection definition helps because
if you set installpolicy=no, and let the IPsec policy be created by
your application then you have much more control that the reqids match.

Have a look at my Mobile IPv6 example where the mipd daemon creates
the IPsec policies and triggers the IKEv2 daemon via XFRM ACQUIRE and
XFRM MIGRATE messages:

http://wiki.strongswan.org/projects/strongswan/wiki/
MobileIPv6

> Thanks & Regards,
> Vivek
> 

Best regards

Andreas

> On Mon, Nov 1, 2010 at 6:45 PM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
> 
>     Hello Vivek,
> 
>     this event is signalled by an XFRM ACQUIRE message via the netlink
>     kernel interface:
> 
>     http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=8cc9a6283014a9b237f8a000016b2146b73742ac;hb=HEAD#l514
> 
>     The netlink socket is registered to receive this kind of events:
> 
>     http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=8cc9a6283014a9b237f8a000016b2146b73742ac;hb=HEAD#l2199
> 
>     Best regards
> 
>     Andreas
> 
>     On 11/01/2010 01:34 PM, vivek bairathi wrote:
>     > Hi All,
>     >
>     > I want to know that if I set auto=route in ipsec.conf for a
>     connection.
>     >
>     > The IKEv2 stack will install kernel traps for that connection and will
>     > initiate an SA only when it gets a packet between the leftsubnet
>     and the
>     > rightsubnet.
>     >
>     > For this the IKEv2 stack needs trigger from kernel so which interface
>     > will be used to tell IKEv2 Stack that a packet has hit its kernel
>     traps
>     > and now you have to init an IKE_SA?
>     >
>     > Thanks & Regards
>     > Vivek

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list