[Openswan dev] New IPsec user application

Ulrich Weber uweber at astaro.com
Thu Apr 26 15:59:36 EDT 2007

>  Great - thanks for the pointers.  I'll try those lists now.  I  
> take it http://marc.info/?l=linux-netdev is the best place to ask  
> for questions about XFRM and KLIPS and the NETKEY interface?
Depends, first you have to decide which IPSec implementation you want  
to extend for your needs, KLIPS or Native IPSec.
For KLIPS you're right on this list, for the latter one netdev is the  
right place.

> On the question of IP fragmentation - in my scenario all packets to  
> be sent over these SAs are (or should be) originated by my  
> application and sent over the standard sockets interface.  So any  
> IP fragments should only be created by the outbound IP stack.  I  
> believe (and my reading seems to confirm this), that IPsec  
> encapsulation of an outgoing packet occurs before any IP  
> fragmentation of those packets.  So hopefully my ports will still  
> be available.
You are right, that could work.

> Of course in the general case of traffic forwarding (say if the  
> device is acting as a router), you're correct that this approach  
> will not work.
> Please let me know if I've misunderstood, or if you know of an  
> easier way to achieve what I want (say a socket option that allows  
> you to specify the SA to use for traffic sent over this socket).
Have a look at selinux ipsec. Seems they have already implementet  
something with socket base IPSec SAs:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20070426/fcee7d02/attachment.html 

More information about the Dev mailing list