[Openswan dev] New IPsec user application

Ulrich Weber uweber at astaro.com
Wed Apr 25 15:03:10 EDT 2007

Hi Olivier,

it's not quite the right mailing list. You could try http:// 
or http://marc.info/?l=linux-netdev

What you wanna do has nothing to do with openswan.
IPSec in Linux consists of kernel space and user space code.

Kernel space is either XFRM (Linux Native IPSec for 2.6)
or KLIPS (Kernel IPSec implementation by Freeswan/Openswan for  

User space (IKE program) is either openswan's pluto or racoon.
Their purpose is to install/delete SA (Security Associations) in  
kernel space
via PF_KEY or NETKEY interface.

For more information about PF_KEY you can play with setkey program,
see http://www.die.net/doc/linux/man/man8/setkey.8.html

For more information about NETKEY you can play with a
recent iproute2 version, e.g. "ip xfrm state add ..."

> Requirements/Questions
> ----------------------
> Multiple SAs need to be supported to a given endpoint (IP  
> address).  The choice of SA (for outbound packets) is controlled by  
> the transport level ports, so IPsec policy needs to be able to  
> associate a specific SA with a particular flow (flow being src+dest  
> IP address, transport protocol and ports).
Not possible with the IPSec standard (Only IP/Protocol ID is supported).
You dont have port information for each packet (IP fragmentation!).
However you could abuse connection tracking for that and extend  
kernel IPSec ...


More information about the Dev mailing list