[Openswan dev] Using the spi in a script
Paul Wouters
paul at xelerance.com
Mon Nov 21 17:03:40 CET 2005
On Sat, 19 Nov 2005, John A. Sullivan III wrote:
> >
> > Thanks! Yes, SPI is subject to change during rekeying, it's not a
> > constant. I think you're best using a combination of DN+Peer ID+IP's
> Thanks, Ken. That's what we do now but it's not perfect. We grab the
> DN and CA and cache the IP address against it in iptables rules.
> However, that precludes allowing another user with the same IP since I
> cannot use the DN as a criterion for iptables. That's why I was looking
> at espspi and then marking the packet.
I think we might have an extra variable once we have finished writing the
new code to keep track of multiple roadwarriors behind the same NAT. It
will have to track the original source port of the encapsulated packet,
so perhaps we should pass that into _updown as well.
> However, that presents another problem -- how do we trigger an update of
> the iptables rules every time the spi changes. I don't think there is
> any hook to call a script anywhere during rekeying, is there?
No, not at this moment.
Paul
--
"Happiness is never grand"
--- Mustapha Mond, World Controller (Brave New World)
More information about the Dev
mailing list