[strongSwan] Is there any way to specify/configure different initiator_tsr for each initiator?

Chinmaya Dwibedy ckdwibedy at yahoo.com
Wed May 20 11:27:35 CEST 2015 

Hi Martin,Thank youfor this information. We have modifiedthe strongswan (5.2.2) code to bypass the strongSwan's IPsec Linux kernelinterface. We do have on our own SPD and SAD table. As per the implementation,an SPD entry would contain the destination IP as selector field and uses thesame as a key to search the SPD table. In install() function (src/libcharon/sa/child_sa.c),we populate the SPD based upon the dst_ts->get_from_address(dst_ts). At IKE Initiatorend, it will have same destination IP address for all the Child SAs. It results into oneSPD entry. 11[IKE]<load-test|1> CHILD_SA load-test{1} established with SPIs cb8db1db_i6e4c2042_o and TS 50.0.0.1/32 === 40.0.0.0/812[IKE]<load-test|2> CHILD_SA load-test{2} established with SPIs cc0db1dc_i6b4c2043_o and TS 50.0.0.2/32 === 40.0.0.0/8   We need differentIP address of the same subnet to be populated in SPD (using load tester plugin)as follows11[IKE]<load-test|1> CHILD_SA load-test{1} established with SPIs cb8db1db_i6e4c2042_o and TS 50.0.0.1/32 === 40.0.0.1/812[IKE]<load-test|2> CHILD_SA load-test{2} established with SPIs cc0db1dc_i6b4c2043_o and TS 50.0.0.2/32 === 40.0.0.2/8   Would itsolve our issue if I do appropriate modification in add_ts() function from load_tester_config.c?If not, pls suggest what should be done to accomplish the same.Thanks in advance. Regards,Chinmaya 


     On Wednesday, May 20, 2015 12:52 PM, Martin Willi <martin at strongswan.org> wrote:
   

 Hi,

> all CHILD SAs will have the same traffic selector (i.e., 40.0.0.1/8)
> on responder side, as proposed by initiator. Is there any way to
> specify/configure different initiator_tsr for each initiator?

Currently all initiators use the same subnet as defined with
initiator_tsr. So no, there is currently no way to define individual
subnets for each client.

There is, however, a %unique port option you can use, such as
initiator_tsr=40.0.0.1/8[udp/%unique]. This selects a single port for
each initiator TSr, starting at 1025. This at least results in unique
policies on your gateway under test, but not sure what you intend to
test.

If that is not sufficient, have a look at the add_ts() function from
load_tester_config.c. It shouldn't be too hard to use a distinct subnet
for each initiator, similar to what we do with these %unique ports.

Regards
Martin




  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150520/afef0d2d/attachment-0001.html>

More information about the Users mailing list