<DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2>Hi</FONT></SPAN></DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2></FONT></SPAN> </DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2>I'm relatively new to Linux, IPsec and this mailing list, so let me know if I've posted to the wrong list or if this mail is out-of-scope.</FONT></SPAN></DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2></FONT></SPAN> </DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2>Background</FONT></SPAN></DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2>----------</FONT></SPAN></DIV> <DIV><SPAN class=343261809-25042007><FONT face=Arial size=2><FONT face="Courier New">I'm looking to develop an application that will set up </FONT><FONT face="Courier New">IPsec security associations (SAs) and policy on demand. This application doesn't use IKE, it's
a proprietary system I'm working on.</FONT></FONT></SPAN></DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2></FONT></SPAN> </DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2>In this system, there is no requirement to set up SAs as a result of policy demand. SAs and the policy that refers to them will be programmed at the same time, so when the policy-engine tries to find a suitable SA for a packet, one should always be available (or if not, the packet should be dropped).</FONT></SPAN></DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2></FONT></SPAN> </DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2>I'd like to base my implementation on OpenSwan and Linux Kernel (ideally 2.6 and above), but I have a few questions below as to whether it would be suitable.</FONT></SPAN></DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New"
size=2></FONT></SPAN> </DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2>Requirements/Questions</FONT></SPAN></DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2>----------------------</FONT></SPAN></DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2>Multiple SAs need to be supported to a given endpoint (IP address). The choice of SA (for outbound packets) is controlled by the transport level ports, so IPsec policy needs to be able to associate a specific SA with a particular flow (flow being src+dest IP address, transport protocol and ports). </FONT></SPAN></DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2></FONT></SPAN> </DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2>1. Is there any way to support this with OpenSwan's standard policy and SA programming APIs?</FONT></SPAN></DIV> <DIV><SPAN
class=343261809-25042007><FONT face="Courier New"></FONT></SPAN> </DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New">In an attempt to answer my own question, I've taken a look through the source code of the 2.4.7 release. I</FONT></SPAN><SPAN class=343261809-25042007><FONT face="Courier New">t appears that this is supported through the SADB_X_EXT_ADDRESS_SRC_FLOW and SADB_X_EXT_ADDRESS_DST_FLOW PF_KEYv2 extensions. These appear to extract the source/dest ports from the PF_KEY sadb_message and build them into the eroute tree. Then I believe the lookup in ipsec_tunnel_SAlookup() should preferentially match eroute entries that having matching ports, addresses and protocol. </FONT></SPAN></DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New"></FONT></SPAN> </DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New">2. Can anyone confirm or deny my understanding here?</FONT></SPAN></DIV> <DIV><SPAN
class=343261809-25042007><FONT face="Courier New"></FONT></SPAN> </DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New">3. Is there any documentation of this feature, that I should have read before posting :-)?</FONT></SPAN></DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New"></FONT></SPAN> </DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New">4. I had previously thought of the PF_KEY interface as SA programming only. Associating an SA with a flow in this way seems to verge into policy. Are there any corresponding policy changes I will need to make to get this to work? </FONT></SPAN></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2>Any answers appreciated, even if it's an answer along the lines of "this isn't supported - you're on your own". </FONT></SPAN></DIV> <DIV><SPAN class=343261809-25042007><FONT
face="Courier New" size=2></FONT></SPAN> </DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2>Regards</FONT></SPAN></DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2></FONT></SPAN> </DIV> <DIV><SPAN class=343261809-25042007><FONT face="Courier New" size=2>Oli</FONT></SPAN></DIV><p> 
<hr size=1>
Yahoo! Mail is the world's favourite email. Don't settle for less, <a
href="http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html">sign up for your free
account today</a>.