SADB_X_SPDFLUSH message handling for latest version of IPsec
gnn at freebsd.org
gnn at freebsd.org
Fri Jul 27 06:46:29 UTC 2007
At Thu, 26 Jul 2007 11:13:53 +0800,
blue wrote:
>
> Hi, all:
>
> Recently I found the behavior for the command "setkey -FP" is quite
> different for the latest version IPsec (known as FAST_IPSEC before).
> Before the command would erase all the existed SP entries; currently the
> command would not. After digging the codes, I found the state of the SP
> entries will be set as IPSEC_SPSTATE_DEAD, but the entries will not be
> unlink from the SPD. Why needs to keep the entry in SPD? Is there any
> special purpose? Without the removal, it's hard to tell whether the SP
> entry still takes effect since "setkey -PD" will not show its status. On
> the other hand, SA is like usual, once the "setkey -F" is typed in, the
> SA entries will be erased right away.
Can you give an example of this? On my test systems this works for
me:
dut2 ? cat /etc/ipsec.conf
spdadd 10.0.0.1/32 10.0.0.2/32 any -P out ipsec esp/tunnel/10.0.0.1-10.0.0.2/require;
spdadd 10.0.0.2/32 10.0.0.1/32 any -P in ipsec esp/tunnel/10.0.0.2-10.0.0.1/require;
add 10.0.0.1 10.0.0.2 esp 0x1000 -E des-cbc 0x3ffe05014819ffff;
dut2 ? setkey -f !$
setkey -f /etc/ipsec.conf
dut2 ? setkey -DP
10.0.0.2[any] 10.0.0.1[any] any
in ipsec
esp/tunnel/10.0.0.2-10.0.0.1/require
spid=13 seq=1 pid=72816
refcnt=1
10.0.0.1[any] 10.0.0.2[any] any
out ipsec
esp/tunnel/10.0.0.1-10.0.0.2/require
spid=12 seq=0 pid=72816
refcnt=1
dut2 ? setkey -D
10.0.0.1 10.0.0.2
esp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
E: des-cbc 3ffe0501 4819ffff
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Jul 22 23:10:07 2007 current: Jul 22 23:10:12 2007
diff: 5(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=72817 refcnt=1
dut2 ? setkey -FP
dut2 ? setkey -DP
No SPD entries.
dut2 ?
Best,
George
More information about the freebsd-net
mailing list