[Openswan Users] XFRM policy Update event for Inbound Policy
krishna murthy
kmurthyjs at yahoo.co.in
Wed May 6 10:00:33 EDT 2009
Can you please let me know what is that change
in the Outbound policy for which we need an update to
make the
Openswan work on Linux. It would be great if you point me
to the part
of the pluto / openswan code which actually does the
policy update.
thanks and Regards,
Krishna
----------
From: Herbert Xu <herbert at gondor.apana.org.au>
Date: Wed, May 6, 2009 at 10:32 AM
To: Paul Wouters
<paul at xelerance.com>
Cc: krishna murthy <kmurthyjs at yahoo.co.in>,
users at openswan.org, dev at openswan.org
We don't need to update policies when rekeying since the
policies
haven't
changed. The outbound policy gets
updated only because
that was the
easiest way of getting Openswan to work on Linu.x
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu
~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
----------
From: Paul Wouters <paul at xelerance.com>
Date: Tue, May 5, 2009 at 4:45 PM
To: krishna murthy
<kmurthyjs at yahoo.co.in>, Herbert Xu
<herbert at gondor.apana.org.au>
Cc: users at openswan.org, dev at openswan.org
On Tue, 5 May 2009, krishna murthy wrote:
(CC:ed Herbert,
since he probably knows this code best, and bumping
to dev at openswan.org)
Hmm. All the calls
for that are in programs/pluto/kernel_netlink.c.
They are all also
located only in one part:
if (sadb_op ==
ERO_DELETE || sadb_op == ERO_DEL_INBOUND)
{
[...]
}
else {
[...]
/*
* NEW
will fail when an existing policy, UPD always works.
* This
seems to happen in cases with NAT'ed XP clients, or
* quick
recycling/resurfacing of roadwarriors on the same IP.
*
req.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
*/
req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
if
(sadb_op == ERO_REPLACE)
{
req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
}
req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.p)));
}
What I am now not
sure of, is whether XFRM_MSG_UPDPOLICY is just a notification
message, or wether
it also has other effects. Perhaps you can look at the
NETKEY kernel code
and kernel_netlink.c. It sounds like there might be a bug
either in our
code, or in the kernel, that causes some update messages to be
missing.
Paul
----------
Hi All,
I am looking for
Policy update notifications from the XFRM during the
IPSec Re-keying. I look for the
"XFRM_MSG_UPDPOLICY" event. The issue
I see is that i Only get Policy updates for the Outbound
Policies and
not for the Inbound. Below is the dump of " ip xfrm
monitor"
Updated src 9.1.1.0/24 dst 11.0.0.0/8
dir out priority 2360
tmpl src 192.168.10.1 dst 192.168.10.2
proto esp reqid 16385 mode tunnel
never i see a policy update for the "dir=in".
Please let me know if i
am missing something.
Thanks in advance for the help,
Thanks and regards,
Krishna
________________________________
Now surf faster
and smarter ! Check out the new Firefox 3 - Yahoo!
Edition * Click
here!
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and
Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Share files, take polls, and make new friends - all under one roof. Go to http://in.promos.yahoo.com/groups/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090506/95bcfa25/attachment.html
More information about the Users
mailing list