[Openswan Users] Using the spi in a script

John A. Sullivan III jsullivan at opensourcedevel.com
Tue Nov 15 16:34:16 CET 2005


Hello, all.  We would like to improve the means by which we dynamically
alter iptables rules when Road Warriors connect in the ISCS network
security management project (http://iscs.sourceforge.net).  We currently
do this with an updown script and pull the DN, CA, IP address etc., from
the variables exposed to the script.  We thus tie the rules to the IP
address.  That has limitations when two people try to connect with the
same IP address (e.g., with the same internal address but behind
different NAT gateways).

We'd like to work around that problem by tying the rules to the spi
using the iptables espspi match.  However, how and when do we learn what
the spi is and how to we pass it to a script from which we can make
these rules? Is it correct to assume that the spi is going to change
with every phase II rekey? If so, is there any hook in the process where
we can run a script and pass to it the value of the spi? Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com



More information about the Users mailing list