issue with outbound SA selection
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
issue with outbound SA selection
by naveen.bn
::
Rate this Message:
Hi All,
I have a problem using SA with selectors based on <src IP>, <dest IP> and <dst port> for outbound traffic. I have written two out bound SA's for the same destination IP with different destination port, but I am seeing wrong SA has been selected for outbound traffic. My concern is why the SA is not getting selected based on ports mentioned security policy. FYI.. content of file setkey.conf /************************* start setkey.conf ************************/ flush; spdflush; add 172.16.8.36 172.16.8.38[*800]* esp 0x201 -m tunnel -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; add 172.16.8.38[500] 172.16.8.36 esp 0x301 -m tunnel -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b; add 172.16.8.36 172.16.8.38[*500] *esp 0x208 -m tunnel -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; # Security policies spdadd 172.16.8.36 172.16.8.38[*800]* esp -P out ipsec esp/tunnel/172.16.8.36-172.16.8.38/require; spdadd 172.16.8.38[*800] *172.16.8.36 esp -P in ipsec esp/tunnel/172.16.8.38-172.16.8.36/require; /************************* end setkey.conf ************************/ *When a packet is sent to dest port 800 , SA which is getting selected is 0x208[spi] with dstport 500 instead of 0x201[spi] **with dstport 800 instead**.* Please provide the criteria for outboud SA selection, please guide me regarding this issue . My Linux kernel version is 2.6.23.1-42.fc8 Thanks and Regards Naveen _______________________________________________ freebsd-security@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@..." |
|
|
Re: issue with outbound SA selection
by Bjoern A. Zeeb
::
Rate this Message:
On Tue, 27 Oct 2009, Naveen BN wrote:
Hi, let me copy & paste what I rpelied on bugs@ already. > My Linux kernel version is 2.6.23.1-42.fc8 Unfortunately this is not a linux but a FreeBSD mailing list. If your issue is with a FreeBSD kernel we can certainly help, if you are running a linux kernel I'd try the linux-ipsec list, which no longer seems to exist? A good fallback might be linux-net or linux-netdev or a similar list. Good luck there. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. _______________________________________________ freebsd-security@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@..." |
| Free embeddable forum powered by Nabble | Forum Help |
