creating an IPsec SA with ports specified - Security

This is a discussion on creating an IPsec SA with ports specified - Security ; Hello, I am not able to create an IPsec SA with ports specified. I've been successful neither with setkey nor programmatically using PF_KEY messages. I use linux (kernel 2.6.13) 1) setkey (using version 0.6.4) add 10.0.11.41[2365] 10.0.11.33[2416] esp 0x10001 -E ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: creating an IPsec SA with ports specified

  1. creating an IPsec SA with ports specified

    Hello,

    I am not able to create an IPsec SA with ports specified.
    I've been successful neither with setkey nor programmatically using PF_KEY
    messages.

    I use linux (kernel 2.6.13)

    1) setkey (using version 0.6.4)
    add 10.0.11.41[2365] 10.0.11.33[2416] esp 0x10001
    -E des-cbc 0x3ffe05014819ffff
    -A hmac-md5 "authentication!!";

    2) PF_KEY messages
    I've set protocol to UDP
    And src and dst address populated with ports.

    However dumping setkey -Dp, still shows ports zero

    10.0.0.11.41[0] 10.0.11.33[0]
    esp mode=transport spi=65537(0x00010001) reqid=0(0x00000000)
    E: des-cbc 3ffe0501 4819ffff
    A: hmac-md5 61757468 656e7469 63617469 6f6e2121
    seq=0x00000000 replay=0 flags=0x00000000 state=mature
    created: Dec 19 10:18:07 2005 current: Dec 19 10:42:02 2005
    diff: 1435(s) hard: 0(s) soft: 0(s)
    last: hard: 0(s) soft: 0(s)
    current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
    allocated: 0 hard: 0 soft: 0
    sadb_seq=0 pid=6581 refcnt=0

    What am I doing wrong? Or is there an bug?

    Jirka


  2. Re: creating an IPsec SA with ports specified

    Jiri Klimes writes:

    > Hello,
    >
    > I am not able to create an IPsec SA with ports specified.
    > I've been successful neither with setkey nor programmatically using PF_KEY
    > messages.
    >
    > I use linux (kernel 2.6.13)
    >
    > 1) setkey (using version 0.6.4)
    > add 10.0.11.41[2365] 10.0.11.33[2416] esp 0x10001
    > -E des-cbc 0x3ffe05014819ffff
    > -A hmac-md5 "authentication!!";


    What do you want exactly to do by setting up ports ?

    If you want to protect traffic for only some ports, then this must be
    done in the SPD, not in the SAs.

    If you really want to create static SAs to use UDP encapsulation on
    ports 2365 -> 2416, then my next question will be "do you really hope
    such configuration will work ????"....


    Yvan.

  3. Re: creating an IPsec SA with ports specified

    VANHULLEBUS Yvan wrote:

    > Jiri Klimes writes:
    >
    >> Hello,
    >>
    >> I am not able to create an IPsec SA with ports specified.
    >> I've been successful neither with setkey nor programmatically using
    >> PF_KEY messages.
    >>
    >> I use linux (kernel 2.6.13)
    >>
    >> 1) setkey (using version 0.6.4)
    >> add 10.0.11.41[2365] 10.0.11.33[2416] esp 0x10001
    >> -E des-cbc 0x3ffe05014819ffff
    >> -A hmac-md5 "authentication!!";

    >
    > What do you want exactly to do by setting up ports ?
    >


    I want to have several SAs which differs in ports.
    So the ports are used as selectors passed through SPD.

    By the way, it's posssible to fill ports in SA on Solaris.
    (Then the SA is marked as unique)


    > If you want to protect traffic for only some ports, then this must be
    > done in the SPD, not in the SAs.
    >


    Of course.
    But as I say above, I want to use different SA for different ports.

    > If you really want to create static SAs to use UDP encapsulation on
    > ports 2365 -> 2416, then my next question will be "do you really hope
    > such configuration will work ????"....
    >


    don't know

    Jirka



  4. Re: creating an IPsec SA with ports specified

    Jiri Klimes writes:

    > VANHULLEBUS Yvan wrote:

    [....]
    > > What do you want exactly to do by setting up ports ?
    > >

    >
    > I want to have several SAs which differs in ports.
    > So the ports are used as selectors passed through SPD.
    >
    > By the way, it's posssible to fill ports in SA on Solaris.
    > (Then the SA is marked as unique)


    Ok.

    Specify your ports only in the SPD, and declare your SPDs entries as
    "unique" instead of "require".

    The set up your SAs, without port specification, but with the same
    reqid as the corresponding SPD entry.



    Yvan.

+ Reply to Thread