[Openswan dev] Using the spi in a script

John A. Sullivan III jsullivan at opensourcedevel.com
Sat Nov 19 22:55:44 CET 2005 

On Sat, 2005-11-19 at 18:41 +0100, Ken Bantoft wrote:
> On Fri, 18 Nov 2005, John A. Sullivan III wrote:
> 
> > On Fri, 2005-11-18 at 17:46 +0100, Ken Bantoft wrote:
> >> On Tue, 15 Nov 2005, John A. Sullivan III wrote:
> >>
> >>> We'd like to work around that problem by tying the rules to the spi
> >>> using the iptables espspi match.  However, how and when do we learn what
> >>> the spi is and how to we pass it to a script from which we can make
> >>> these rules? Is it correct to assume that the spi is going to change
> >>> with every phase II rekey? If so, is there any hook in the process where
> >>> we can run a script and pass to it the value of the spi? Thanks - John
> >>
> >> IIRC, the SPI is not currently passed to _updown.  You'd need to modify
> >> pluto slightly to include the SPI into the environment variables set when
> >> calling _updown.
> >>
> >>
> > Thanks, Ken (and belated congratulations, by the way).  That leaves me
> > with two questions.  The updown script runs on initial connection.  Does
> > the SPI change after that initial connection, e.g., at rekeying?
> 
> Thanks!  Yes, SPI is subject to change during rekeying, it's not a 
> constant.  I think you're best using a combination of DN+Peer ID+IP's
Thanks, Ken.  That's what we do now but it's not perfect.  We grab the
DN and CA and cache the IP address against it in iptables rules.
However, that precludes allowing another user with the same IP since I
cannot use the DN as a criterion for iptables.  That's why I was looking
at espspi and then marking the packet.

However, that presents another problem -- how do we trigger an update of
the iptables rules every time the spi changes.  I don't think there is
any hook to call a script anywhere during rekeying, is there?
> 
> > Is it reasonable to pass this along as a feature request?
> 
> Yes, but I don't think you want it anymore ;)
> 
> Ken
<snip>
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

More information about the Dev mailing list