[strongSwan] PF_KEY with IPv4+IPv6 in charon
Jay Sharma
jay.sharma at gmail.com
Thu Mar 21 13:15:50 CET 2013
Hi Andreas,
I revisited this problem last week and looked around the code. With the below
patch I am able to make the IPv6-in-IPv4 scenario work under PFKEY. Can you
please review?
*StrongSwan Patch*
diff -Naur o/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
m/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
--- o/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c 2013-03-16
21:54:15.071773208 +0530
+++ m/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c 2013-03-16
21:53:20.429772870 +0530
@@ -98,6 +98,10 @@
#define IPV6_IPSEC_POLICY 34
#endif
+#ifndef XFRM_STATE_AF_UNSPEC
+#define XFRM_STATE_AF_UNSPEC 32
+#endif
+
/** default priority of installed policies */
#define PRIO_LOW 1024
#define PRIO_HIGH 512
@@ -1252,6 +1256,8 @@
sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
+ if (mode == MODE_TUNNEL)
+ sa->sadb_sa_flags |= XFRM_STATE_AF_UNSPEC;
PFKEY_EXT_ADD(msg, sa);
sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
*Kernel Patch*
diff -Naur o/include/linux/pfkeyv2.h m/include/linux/pfkeyv2.h
--- o/include/linux/pfkeyv2.h 2013-03-16 21:44:48.217772984 +0530
+++ m/include/linux/pfkeyv2.h 2013-03-16 21:45:30.016773292 +0530
@@ -268,6 +268,7 @@
#define SADB_SAFLAGS_NOPMTUDISC 0x20000000
#define SADB_SAFLAGS_DECAP_DSCP 0x40000000
#define SADB_SAFLAGS_NOECN 0x80000000
+#define SADB_SAFLAGS_AF_UNSPEC 32
/* Security Association states */
#define SADB_SASTATE_LARVAL 0
diff -Naur o/net/key/af_key.c m/net/key/af_key.c
--- o/net/key/af_key.c 2013-03-06 21:44:48.222773308 +0530
+++ m/net/key/af_key.c 2013-03-06 21:45:30.047772952 +0530
@@ -836,6 +836,8 @@
sa->sadb_sa_flags |= SADB_SAFLAGS_DECAP_DSCP;
if (x->props.flags & XFRM_STATE_NOPMTUDISC)
sa->sadb_sa_flags |= SADB_SAFLAGS_NOPMTUDISC;
+ if (x->props.flags & XFRM_STATE_AF_UNSPEC)
+ sa->sadb_sa_flags |= SADB_SAFLAGS_AF_UNSPEC;
/* hard time */
if (hsc & 2) {
@@ -1103,6 +1105,8 @@
x->props.flags |= XFRM_STATE_DECAP_DSCP;
if (sa->sadb_sa_flags & SADB_SAFLAGS_NOPMTUDISC)
x->props.flags |= XFRM_STATE_NOPMTUDISC;
+ if (sa->sadb_sa_flags & SADB_SAFLAGS_AF_UNSPEC)
+ x->props.flags |= XFRM_STATE_AF_UNSPEC;
lifetime = (struct sadb_lifetime*) ext_hdrs[SADB_EXT_LIFETIME_HARD-1];
if (lifetime != NULL) {
@@ -1220,7 +1224,7 @@
x->sel.prefixlen_s = addr->sadb_address_prefixlen;
}
- if (!x->sel.family)
+ if (!x->sel.family && !(x->props.flags & XFRM_STATE_AF_UNSPEC))
x->sel.family = x->props.family;
if (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) {
Thanks,
Jay
On Wed, Jan 30, 2013 at 12:50 AM, Mikael Magnusson <mikma264 at gmail.com>wrote:
> If you use Linux, then netlink is required for IPv6-in-IPv4 support in
> ESP, AFAIK.
>
> /Mikael
>
>
> On 01/29/2013 06:18 PM, Jay Sharma wrote:
>
> Hi Andreas,
>
> Thanks for your reply. I checked the example scenarios but it does not
> list any case with IPv6-in-IPv4 for PFKEY.
>
> My setup is similar to the one here -
>
> http://www.strongswan.org/uml/testresults45/ipv6/net2net-ip6-in-ip4-ikev2/index.html[except that I do not have "bob" and there is a sit tunnel between alice
> and moon].
>
> So, does charon (strongswan 4.5.1) support PF_KEY messages for
> IPv6-in-IPv4 environment? The moment I re-configure strongswan without
> --enable-kernel-pfkey, the traffic goes through fine.
>
> Thanks,
> Jay
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130321/9b7b3425/attachment.html>
More information about the Users
mailing list