[strongSwan] Query regarding route based security
Andreas Steffen
andreas.steffen at strongswan.org
Tue Nov 2 09:39:01 CET 2010
Hi Vivek,
see my inline comments:
On 02.11.2010 08:05, vivek bairathi wrote:
> Hi Andreas,
>
> Thanks for your quick reply.
>
> I have some more queries regarding kernel_netlink interface:
>
> If I use auto=route in ipsec.conf file for a connection:
> Q1. Does the stack after reading the ipsec.conf file for this connection
> installs SPD and route entries into the kernel? If yes then is the SPI
> and reqid written in SPD are the one that is sent to IKEv2 stack by
> kernel in XFRM ACQUIRE message?
>
An installed IPsec policy doesn't have an SPI. It is identified by
the reqid assigned by the IKEv2 daemon and this reqid is in fact
returned by the XFM ACQUIRE message.
> If I do not use auto=route in ipsec.conf file for a connection:
> Q2. I send an XFRM ACQUIRE message to IKEv2 stack using my application
> will the IKEv2 stack be able to trigger an IKE/IPSEC SA. I think in this
> case there will be no kernel traps installed by IKEv2 stack. So will it
> be able to trigger an SA for that connection?
>
no, connection setup will be triggered only if the reqid is known by
the IKEv2 daemon, i.e. you must use auto=route to create the reqid.
Using a fixed reqid=<value> in the connection definition helps because
if you set installpolicy=no, and let the IPsec policy be created by
your application then you have much more control that the reqids match.
Have a look at my Mobile IPv6 example where the mipd daemon creates
the IPsec policies and triggers the IKEv2 daemon via XFRM ACQUIRE and
XFRM MIGRATE messages:
http://wiki.strongswan.org/projects/strongswan/wiki/
MobileIPv6
> Thanks & Regards,
> Vivek
>
Best regards
Andreas
> On Mon, Nov 1, 2010 at 6:45 PM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
>
> Hello Vivek,
>
> this event is signalled by an XFRM ACQUIRE message via the netlink
> kernel interface:
>
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=8cc9a6283014a9b237f8a000016b2146b73742ac;hb=HEAD#l514
>
> The netlink socket is registered to receive this kind of events:
>
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=8cc9a6283014a9b237f8a000016b2146b73742ac;hb=HEAD#l2199
>
> Best regards
>
> Andreas
>
> On 11/01/2010 01:34 PM, vivek bairathi wrote:
> > Hi All,
> >
> > I want to know that if I set auto=route in ipsec.conf for a
> connection.
> >
> > The IKEv2 stack will install kernel traps for that connection and will
> > initiate an SA only when it gets a packet between the leftsubnet
> and the
> > rightsubnet.
> >
> > For this the IKEv2 stack needs trigger from kernel so which interface
> > will be used to tell IKEv2 Stack that a packet has hit its kernel
> traps
> > and now you have to init an IKE_SA?
> >
> > Thanks & Regards
> > Vivek
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list