[Openswan Users] XFRM policy Update event for Inbound Policy

krishna murthy kmurthyjs at yahoo.co.in
Fri May 8 10:13:11 EDT 2009

I wanted to know how new SA's created during the IPSec re-keying are linked to the 
Inbound and Outbound policy with out updating the Poicy as mentioned previously.  


From: krishna murthy <kmurthyjs at yahoo.co.in>
To: herbert at gondor.apana.org.au; paul at xelerance.com
Cc: users at openswan.org; dev at openswan.org; kmurthyjs at yahoo.co.in
Sent: Wednesday, 6 May, 2009 3:00:33 PM
Subject: RE: [Openswan Users] XFRM policy Update event for Inbound Policy

Can you please let me know what is that change
in the Outbound policy for which we need an update to make the
Openswan work on Linux. It would be great if you point me to the part
of the pluto / openswan code which actually does the policy update.
thanks and Regards,
From: Herbert Xu <herbert at gondor.apana.org.au>
Date: Wed, May 6, 2009 at 10:32 AM
 To: Paul Wouters <paul at xelerance.com>
Cc: krishna murthy <kmurthyjs at yahoo.co.in>, users at openswan.org, dev at openswan.org
We don't need to update policies when rekeying since the policies
 haven't changed.  The outbound policy gets updated only because
 that was the easiest way of getting Openswan to work on Linu.x
 Visit Openswan at http://www.openswan.org/
 Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
 Home Page: http://gondor.apana.org.au/~herbert/
 PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
From: Paul Wouters <paul at xelerance.com>
Date: Tue, May 5, 2009 at 4:45 PM
 To: krishna murthy <kmurthyjs at yahoo.co.in>, Herbert Xu
<herbert at gondor.apana.org.au>
Cc: users at openswan.org, dev at openswan.org
On Tue, 5 May 2009, krishna murthy wrote:
 (CC:ed Herbert, since he probably knows this code best, and bumping
to dev at openswan.org)
 Hmm. All the calls for that are in programs/pluto/kernel_netlink.c.
 They are all also located only in one part:
 if (sadb_op == ERO_DELETE || sadb_op == ERO_DEL_INBOUND)
 else {
          * NEW will fail when an existing policy, UPD always works.
          * This seems to happen in cases with NAT'ed XP clients, or
          * quick recycling/resurfacing of roadwarriors on the same IP.
          * req.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
         req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
         if (sadb_op == ERO_REPLACE)
             req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
         req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.p)));
 What I am now not sure of, is whether XFRM_MSG_UPDPOLICY is just a notification
 message, or wether it also has other effects. Perhaps you can look at the
 NETKEY kernel code and kernel_netlink.c. It sounds like there might be a bug
 either in our code, or in the kernel, that causes some update messages to be
Hi All,
 I am looking for Policy update notifications from the XFRM during the
IPSec Re-keying. I look for the "XFRM_MSG_UPDPOLICY" event. The issue
I see is that i Only get Policy updates for the Outbound Policies and
not for the Inbound. Below is the dump of " ip xfrm monitor"
Updated src dst
dir out priority 2360
tmpl src dst
proto esp reqid 16385 mode tunnel
never i see a policy update for the "dir=in". Please let me know if i
am missing something.
Thanks in advance for the help,
Thanks and regards,
 Now surf faster and smarter ! Check out the new Firefox 3 - Yahoo!
Edition *  Click here!
 Users at openswan.org
 Building and Integrating Virtual Private Networks with Openswan:

Cricket on your mind? Visit the ultimate cricket website. Enter now!

      Bring your gang together. Do your thing. Find your favourite Yahoo! group at http://in.promos.yahoo.com/groups/

More information about the Users mailing list