[EMAIL PROTECTED] wrote:
At Thu, 26 Jul 2007 11:13:53 +0800,
blue wrote:
Hi, all:
Recently I found the behavior for the command "setkey -FP" is quite
different for the latest version IPsec (known as FAST_IPSEC before).
Before the command would erase all the existed SP entries; currently the
command would not. After digging the codes, I found the state of the SP
entries will be set as IPSEC_SPSTATE_DEAD, but the entries will not be
unlink from the SPD. Why needs to keep the entry in SPD? Is there any
special purpose? Without the removal, it's hard to tell whether the SP
entry still takes effect since "setkey -PD" will not show its status. On
the other hand, SA is like usual, once the "setkey -F" is typed in, the
SA entries will be erased right away.
Can you give an example of this? On my test systems this works for
me:
dut2 ? cat /etc/ipsec.conf
spdadd 10.0.0.1/32 10.0.0.2/32 any -P out ipsec esp/tunnel/10.0.0.1-10.0.0.2/require;
spdadd 10.0.0.2/32 10.0.0.1/32 any -P in ipsec
esp/tunnel/10.0.0.2-10.0.0.1/require;
add 10.0.0.1 10.0.0.2 esp 0x1000 -E des-cbc 0x3ffe05014819ffff;
dut2 ? setkey -f !$
setkey -f /etc/ipsec.conf
dut2 ? setkey -DP
10.0.0.2[any] 10.0.0.1[any] any
in ipsec
esp/tunnel/10.0.0.2-10.0.0.1/require
spid=13 seq=1 pid=72816
refcnt=1
10.0.0.1[any] 10.0.0.2[any] any
out ipsec
esp/tunnel/10.0.0.1-10.0.0.2/require
spid=12 seq=0 pid=72816
refcnt=1
dut2 ? setkey -D
10.0.0.1 10.0.0.2
esp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
E: des-cbc 3ffe0501 4819ffff
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Jul 22 23:10:07 2007 current: Jul 22 23:10:12 2007
diff: 5(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=72817 refcnt=1
dut2 ? setkey -FP
dut2 ? setkey -DP
No SPD entries.
dut2 ?
Best,
George
Hi,
I was tracing the codes so had the conclusion. in key_spdflush() in
key.c, the loop
for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
SPTREE_LOCK();
LIST_FOREACH(sp, &sptree[dir], chain)
sp->state = IPSEC_SPSTATE_DEAD;
SPTREE_UNLOCK();
}
only sets policy entry's status as DEAD, but not remove it from the SPD.
On the other hand, in KAME implementation (known as IPSEC in previous
FreeBSD version), the SP entry will be removed.
for (sp = TAILQ_FIRST(&sptailq); sp; sp = nextsp) {
nextsp = TAILQ_NEXT(sp, tailq);
if (sp->persist)
continue;
if (sp->state == IPSEC_SPSTATE_DEAD)
continue;
key_sp_dead(sp);
key_sp_unlink(sp);
sp = NULL;
}
Thanks.
BR,
blue
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
