[Openswan dev] New IPsec user application
uweber at astaro.com
Wed Apr 25 15:03:10 EDT 2007
it's not quite the right mailing list. You could try http://
What you wanna do has nothing to do with openswan.
IPSec in Linux consists of kernel space and user space code.
Kernel space is either XFRM (Linux Native IPSec for 2.6)
or KLIPS (Kernel IPSec implementation by Freeswan/Openswan for
User space (IKE program) is either openswan's pluto or racoon.
Their purpose is to install/delete SA (Security Associations) in
via PF_KEY or NETKEY interface.
For more information about PF_KEY you can play with setkey program,
For more information about NETKEY you can play with a
recent iproute2 version, e.g. "ip xfrm state add ..."
> Multiple SAs need to be supported to a given endpoint (IP
> address). The choice of SA (for outbound packets) is controlled by
> the transport level ports, so IPsec policy needs to be able to
> associate a specific SA with a particular flow (flow being src+dest
> IP address, transport protocol and ports).
Not possible with the IPSec standard (Only IP/Protocol ID is supported).
You dont have port information for each packet (IP fragmentation!).
However you could abuse connection tracking for that and extend
kernel IPSec ...
More information about the Dev