[Openswan dev] Using the spi in a script
Ken Bantoft
ken at xelerance.com
Sat Nov 19 18:41:55 CET 2005
On Fri, 18 Nov 2005, John A. Sullivan III wrote:
> On Fri, 2005-11-18 at 17:46 +0100, Ken Bantoft wrote:
>> On Tue, 15 Nov 2005, John A. Sullivan III wrote:
>>
>>> We'd like to work around that problem by tying the rules to the spi
>>> using the iptables espspi match. However, how and when do we learn what
>>> the spi is and how to we pass it to a script from which we can make
>>> these rules? Is it correct to assume that the spi is going to change
>>> with every phase II rekey? If so, is there any hook in the process where
>>> we can run a script and pass to it the value of the spi? Thanks - John
>>
>> IIRC, the SPI is not currently passed to _updown. You'd need to modify
>> pluto slightly to include the SPI into the environment variables set when
>> calling _updown.
>>
>>
> Thanks, Ken (and belated congratulations, by the way). That leaves me
> with two questions. The updown script runs on initial connection. Does
> the SPI change after that initial connection, e.g., at rekeying?
Thanks! Yes, SPI is subject to change during rekeying, it's not a
constant. I think you're best using a combination of DN+Peer ID+IP's
> Is it reasonable to pass this along as a feature request?
Yes, but I don't think you want it anymore ;)
Ken
More information about the Dev
mailing list