[Openswan Users] XFRM policy Update event for Inbound Policy
krishna murthy
kmurthyjs at yahoo.co.in
Fri May 8 10:13:11 EDT 2009
I wanted to know how new SA's created during the IPSec re-keying are linked to the
Inbound and Outbound policy with out updating the Poicy as mentioned previously.
Thanks,
Krishna
From: krishna murthy <kmurthyjs at yahoo.co.in>
To: herbert at gondor.apana.org.au; paul at xelerance.com
Cc: users at openswan.org; dev at openswan.org; kmurthyjs at yahoo.co.in
Sent: Wednesday, 6 May, 2009 3:00:33 PM
Subject: RE: [Openswan Users] XFRM policy Update event for Inbound Policy
Can you please let me know what is that change
in the Outbound policy for which we need an update to make the
Openswan work on Linux. It would be great if you point me to the part
of the pluto / openswan code which actually does the policy update.
thanks and Regards,
Krishna
----------
From: Herbert Xu <herbert at gondor.apana.org.au>
Date: Wed, May 6, 2009 at 10:32 AM
To: Paul Wouters <paul at xelerance.com>
Cc: krishna murthy <kmurthyjs at yahoo.co.in>, users at openswan.org, dev at openswan.org
We don't need to update policies when rekeying since the policies
haven't changed. The outbound policy gets updated only because
that was the easiest way of getting Openswan to work on Linu.x
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
----------
From: Paul Wouters <paul at xelerance.com>
Date: Tue, May 5, 2009 at 4:45 PM
To: krishna murthy <kmurthyjs at yahoo.co.in>, Herbert Xu
<herbert at gondor.apana.org.au>
Cc: users at openswan.org, dev at openswan.org
On Tue, 5 May 2009, krishna murthy wrote:
(CC:ed Herbert, since he probably knows this code best, and bumping
to dev at openswan.org)
Hmm. All the calls for that are in programs/pluto/kernel_netlink.c.
They are all also located only in one part:
if (sadb_op == ERO_DELETE || sadb_op == ERO_DEL_INBOUND)
{
[...]
}
else {
[...]
/*
* NEW will fail when an existing policy, UPD always works.
* This seems to happen in cases with NAT'ed XP clients, or
* quick recycling/resurfacing of roadwarriors on the same IP.
* req.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
*/
req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
if (sadb_op == ERO_REPLACE)
{
req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
}
req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.p)));
}
What I am now not sure of, is whether XFRM_MSG_UPDPOLICY is just a notification
message, or wether it also has other effects. Perhaps you can look at the
NETKEY kernel code and kernel_netlink.c. It sounds like there might be a bug
either in our code, or in the kernel, that causes some update messages to be
missing.
Paul
----------
Hi All,
I am looking for Policy update notifications from the XFRM during the
IPSec Re-keying. I look for the "XFRM_MSG_UPDPOLICY" event. The issue
I see is that i Only get Policy updates for the Outbound Policies and
not for the Inbound. Below is the dump of " ip xfrm monitor"
Updated src 9.1.1.0/24 dst 11.0.0.0/8
dir out priority 2360
tmpl src 192.168.10.1 dst 192.168.10.2
proto esp reqid 16385 mode tunnel
never i see a policy update for the "dir=in". Please let me know if i
am missing something.
Thanks in advance for the help,
Thanks and regards,
Krishna
________________________________
Now surf faster and smarter ! Check out the new Firefox 3 - Yahoo!
Edition * Click here!
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Cricket on your mind? Visit the ultimate cricket website. Enter now!
Bring your gang together. Do your thing. Find your favourite Yahoo! group at http://in.promos.yahoo.com/groups/
More information about the Users
mailing list