[Openswan dev] Using the spi in a script
Ken Bantoft
ken at xelerance.com
Fri Nov 18 17:46:15 CET 2005
On Tue, 15 Nov 2005, John A. Sullivan III wrote:
> Hello, all. We would like to improve the means by which we dynamically
> alter iptables rules when Road Warriors connect in the ISCS network
> security management project (http://iscs.sourceforge.net). We currently
> do this with an updown script and pull the DN, CA, IP address etc., from
> the variables exposed to the script. We thus tie the rules to the IP
> address. That has limitations when two people try to connect with the
> same IP address (e.g., with the same internal address but behind
> different NAT gateways).
>
> We'd like to work around that problem by tying the rules to the spi
> using the iptables espspi match. However, how and when do we learn what
> the spi is and how to we pass it to a script from which we can make
> these rules? Is it correct to assume that the spi is going to change
> with every phase II rekey? If so, is there any hook in the process where
> we can run a script and pass to it the value of the spi? Thanks - John
IIRC, the SPI is not currently passed to _updown. You'd need to modify
pluto slightly to include the SPI into the environment variables set when
calling _updown.
--
Ken Bantoft VP Business Development
ken at xelerance.com Xelerance Corporation
sip://toronto.xelerance.com http://www.xelerance.com
Whoever changed sk_alloc's argument order of a bool and a mem address
location deserves to be on a life support system running said kernel.
-- Paul Wouters
More information about the Dev
mailing list