[Openswan Users] What is PLUTO_PEER_REF and how does OpenSwan define it?

Danilo Godec danilo.godec at agenda.si
Tue Nov 9 13:35:43 EST 2010


 On 9.11.2010 15:50, Paul Wouters wrote:
> On Tue, 9 Nov 2010, Danilo Godec wrote:
>
>> I'm looking into some scripts regarding QoS and OpenSwan and need to
>> figure out FW marks...
>>
>> I'm not quite sure what PLUTO_PEER_REF is and how OpenSwan get's it - is
>> it always the same?
>>
>> For example - on my test system I see 'ref=3' and 'refhim=1' - all the
>> time...
>>
>> But is this always the case? Can I count on that or will there be times
>> when this two values will be different?
>
> Those are the SArefs. They wil be different after a rekey or restart,
> or if
> the order of the tunnel establishing changes. You just see 1 and 3 on
> a fresh
> start of openswan.
>
> SAref's are used with the protostack=mast stack, and requires a small
> kernel patch
> (see patches/kernel/) 

What are SAref's and what are they used for?

Should it be possible to use OpenSwan's MAST without SAref and without
the need for FW marks and IP rules?

I'm coming from a world of KLIPS and would like like to keep it - but
unfortunately the current kernel / OpenSwan combination on OpenSuSE 11.2
doesn't work with Checkpoin while MAST does - with the same set of
parameters (with addition of 'sareftrack=conntrack').



   Danilo



> Note that SArefs are put in the skb using NFMARK. If the highest
> bit is set, we assume it is an SAref. We use the lower half of the
> bits to set the SAref.
> The higher half of the bits are ignored (except for the highest one)
> and free for other
> uses.




More information about the Users mailing list