At Thu, 26 Jul 2007 08:13:02 +0800, blue wrote: > > As far as I know, setkey is used for IPsec SP and SA configuration. > ipsec_set_policy() could transfer a string to "policy request", which is > defined in RFC 2367 PF_KEY. Internally, setkey() will call > ipsec_set_policy() to construct the message then send it down to the > kernel. However, ipsec_set_policy() is used only for SP, not SA. > And expanding on this just a bit, there is a difference between a policy (SP) and an association (SA) which is important to understand. A policy describes something more general, such as "Between network A and network B use an IPSEC ESP tunnel for all traffic." while an association is an active communication channel like, "Between address A and address B we have a tunnel using ESP with key X." There are two databases in the kernel for this, a Security Policy Database which is manipulated using the ipsec_set_policy() routing, and a Security Association Database which is manipulated using direct calls to PF Key sockets.
See RFC 2401 for a good intro to these concepts. Best, George _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
