[Openswan dev] Using the spi in a script
John A. Sullivan III
jsullivan at opensourcedevel.com
Fri Nov 18 16:17:08 CET 2005
On Fri, 2005-11-18 at 17:46 +0100, Ken Bantoft wrote:
> On Tue, 15 Nov 2005, John A. Sullivan III wrote:
>
> > Hello, all. We would like to improve the means by which we dynamically
> > alter iptables rules when Road Warriors connect in the ISCS network
> > security management project (http://iscs.sourceforge.net). We currently
> > do this with an updown script and pull the DN, CA, IP address etc., from
> > the variables exposed to the script. We thus tie the rules to the IP
> > address. That has limitations when two people try to connect with the
> > same IP address (e.g., with the same internal address but behind
> > different NAT gateways).
> >
> > We'd like to work around that problem by tying the rules to the spi
> > using the iptables espspi match. However, how and when do we learn what
> > the spi is and how to we pass it to a script from which we can make
> > these rules? Is it correct to assume that the spi is going to change
> > with every phase II rekey? If so, is there any hook in the process where
> > we can run a script and pass to it the value of the spi? Thanks - John
>
> IIRC, the SPI is not currently passed to _updown. You'd need to modify
> pluto slightly to include the SPI into the environment variables set when
> calling _updown.
>
>
Thanks, Ken (and belated congratulations, by the way). That leaves me
with two questions. The updown script runs on initial connection. Does
the SPI change after that initial connection, e.g., at rekeying?
Is it reasonable to pass this along as a feature request?
Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
Financially sustainable open source development
http://www.opensourcedevel.com
More information about the Dev
mailing list