[Openswan Users] XFRM policy Update event for Inbound Policy

krishna murthy kmurthyjs at yahoo.co.in
Wed May 6 10:00:33 EDT 2009

Can you please let me know what is that change
in the Outbound policy for which we need an update to
make the
Openswan work on Linux. It would be great if you point me
to the part
of the pluto / openswan code which actually does the
policy update.
thanks and Regards,
From: Herbert Xu <herbert at gondor.apana.org.au>
Date: Wed, May 6, 2009 at 10:32 AM
 To: Paul Wouters
<paul at xelerance.com>
Cc: krishna murthy <kmurthyjs at yahoo.co.in>,
users at openswan.org, dev at openswan.org
We don't need to update policies when rekeying since the
changed.  The outbound policy gets
updated only because
 that was the
easiest way of getting Openswan to work on Linu.x
 Visit Openswan at http://www.openswan.org/
 Email: Herbert Xu
~{PmV>HI~} <herbert at gondor.apana.org.au>
 Home Page: http://gondor.apana.org.au/~herbert/
 PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
From: Paul Wouters <paul at xelerance.com>
Date: Tue, May 5, 2009 at 4:45 PM
 To: krishna murthy
<kmurthyjs at yahoo.co.in>, Herbert Xu
<herbert at gondor.apana.org.au>
Cc: users at openswan.org, dev at openswan.org
On Tue, 5 May 2009, krishna murthy wrote:
 (CC:ed Herbert,
since he probably knows this code best, and bumping
to dev at openswan.org)
 Hmm. All the calls
for that are in programs/pluto/kernel_netlink.c.
 They are all also
located only in one part:
 if (sadb_op ==
 else {
          * NEW
will fail when an existing policy, UPD always works.
          * This
seems to happen in cases with NAT'ed XP clients, or
          * quick
recycling/resurfacing of roadwarriors on the same IP.
req.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
         req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
(sadb_op == ERO_REPLACE)
             req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
         req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.p)));
 What I am now not
sure of, is whether XFRM_MSG_UPDPOLICY is just a notification
 message, or wether
it also has other effects. Perhaps you can look at the
 NETKEY kernel code
and kernel_netlink.c. It sounds like there might be a bug
 either in our
code, or in the kernel, that causes some update messages to be
Hi All,
 I am looking for
Policy update notifications from the XFRM during the
IPSec Re-keying. I look for the
"XFRM_MSG_UPDPOLICY" event. The issue
I see is that i Only get Policy updates for the Outbound
Policies and
not for the Inbound. Below is the dump of " ip xfrm
Updated src dst
dir out priority 2360
tmpl src dst
proto esp reqid 16385 mode tunnel
never i see a policy update for the "dir=in".
Please let me know if i
am missing something.
Thanks in advance for the help,
Thanks and regards,
 Now surf faster
and smarter ! Check out the new Firefox 3 - Yahoo!
Edition *  Click
 Users at openswan.org
 Building and
Integrating Virtual Private Networks with Openswan:

      Share files, take polls, and make new friends - all under one roof. Go to http://in.promos.yahoo.com/groups/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090506/95bcfa25/attachment.html 

More information about the Users mailing list