[EMAIL PROTECTED] wrote:

At Thu, 26 Jul 2007 11:13:53 +0800,
blue wrote:
Hi, all:

Recently I found the behavior for the command "setkey -FP" is quite different for the latest version IPsec (known as FAST_IPSEC before). Before the command would erase all the existed SP entries; currently the command would not. After digging the codes, I found the state of the SP entries will be set as IPSEC_SPSTATE_DEAD, but the entries will not be unlink from the SPD. Why needs to keep the entry in SPD? Is there any special purpose? Without the removal, it's hard to tell whether the SP entry still takes effect since "setkey -PD" will not show its status. On the other hand, SA is like usual, once the "setkey -F" is typed in, the SA entries will be erased right away.

Can you give an example of this?  On my test systems this works for
me:

dut2 ? cat /etc/ipsec.conf spdadd 10.0.0.1/32 10.0.0.2/32 any -P out ipsec esp/tunnel/10.0.0.1-10.0.0.2/require;
spdadd 10.0.0.2/32 10.0.0.1/32 any -P in ipsec 
esp/tunnel/10.0.0.2-10.0.0.1/require;
add 10.0.0.1 10.0.0.2 esp 0x1000 -E des-cbc 0x3ffe05014819ffff;
dut2 ? setkey -f !$
setkey -f /etc/ipsec.conf
dut2 ? setkey -DP
10.0.0.2[any] 10.0.0.1[any] any
       in ipsec
       esp/tunnel/10.0.0.2-10.0.0.1/require
       spid=13 seq=1 pid=72816
       refcnt=1
10.0.0.1[any] 10.0.0.2[any] any
       out ipsec
       esp/tunnel/10.0.0.1-10.0.0.2/require
       spid=12 seq=0 pid=72816
       refcnt=1
dut2 ? setkey -D
10.0.0.1 10.0.0.2 esp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
       E: des-cbc  3ffe0501 4819ffff
seq=0x00000000 replay=0 flags=0x00000040 state=mature created: Jul 22 23:10:07 2007 current: Jul 22 23:10:12 2007
       diff: 5(s)      hard: 0(s)      soft: 0(s)
       last:                           hard: 0(s)      soft: 0(s)
       current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
       allocated: 0    hard: 0 soft: 0
       sadb_seq=0 pid=72817 refcnt=1
dut2 ? setkey -FP
dut2 ? setkey -DP
No SPD entries.
dut2 ?
Best,
George

Hi,

I was tracing the codes so had the conclusion. in key_spdflush() in key.c, the loop

   for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
       SPTREE_LOCK();
       LIST_FOREACH(sp, &sptree[dir], chain)
           sp->state = IPSEC_SPSTATE_DEAD;
       SPTREE_UNLOCK();
   }

only sets policy entry's status as DEAD, but not remove it from the SPD. On the other hand, in KAME implementation (known as IPSEC in previous FreeBSD version), the SP entry will be removed.

   for (sp = TAILQ_FIRST(&sptailq); sp; sp = nextsp) {
       nextsp = TAILQ_NEXT(sp, tailq);
       if (sp->persist)
           continue;
       if (sp->state == IPSEC_SPSTATE_DEAD)
           continue;
       key_sp_dead(sp);
       key_sp_unlink(sp);
       sp = NULL;
   }

Thanks.

BR,

blue
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to