issue with outbound SA selection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
Dear All,
I have a problem using SA with selectors based on <src IP>, <dest IP> and <dst port> for outbound traffic. I have written two out bound SA's for the same destination IP with different destination port, but I am seeing wrong SA has been selected for outbound traffic. My concern is why the SA is not getting selected based on 
ports  mentioned security  policy.

FYI..
content of file setkey.conf
/************************* start setkey.conf ************************/
flush;
spdflush;

add 172.16.8.36 172.16.8.38[800] esp 0x201 -m tunnel -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831
-A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;

add 172.16.8.38[500] 172.16.8.36 esp 0x301 -m tunnel -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df
-A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;

add 172.16.8.36 172.16.8.38[500] esp 0x208 -m tunnel -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831
-A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;

# Security policies
spdadd 172.16.8.36 172.16.8.38[800] esp -P out ipsec
        esp/tunnel/172.16.8.36-172.16.8.38/require;

spdadd 172.16.8.38[800] 172.16.8.36 esp  -P in ipsec
          esp/tunnel/172.16.8.38-172.16.8.36/require;
/************************* end setkey.conf ************************/
When a packet is sent to dest port 800 , SA which is getting selected is 0x208[spi] with dstport 500 instead of 0x201[spi] with dstport 800 instead* 

My Linux kernel version is 2.6.23.1-42.fc8

If I make the following change will it solve my purpose has described
Changes to be made:
in function pfkey_sockaddr_fill() in file net/key/af_key.c
      --   sin->sin_port = port;
      ++ sin->sin_port = sa->sin_port;
I want to have a local copy of linux with the pf_key engine using the port 's also as selectors for OUTBOUND SA 

Please guide me on the same

Regards
Naveen


--
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Photo]     [Yosemite]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]     [Video 4 Linux]     [Linux Resources]

Add to Google