Hi All, Im trying to implement IPSec for ospfv3 as per RFC4552 on Linux kernel version 3.16.39. Requirement is to support IPsec encryption/authentication for ospfv3 traffic. As of now, this can be achieved by following set of SA and SP rules.
ip xfrm state add src :: dst ff02::5 proto ah spi 0x401 mode transport auth "hmac(sha1)" 0x12345678123456781234567812345678 ip xfrm state add src :: dst ff02::6 proto ah spi 0x401 mode transport auth "hmac(sha1)" 0x12345678123456781234567812345678 ip xfrm state add src <sip> dst <dst_ip> proto ah spi 0x401 mode transport auth "hmac(sha1)" 0x12345678123456781234567812345678 ip xfrm state add src <dst_ip> dst <sip> proto ah spi 0x401 mode transport auth "hmac(sha1)" 0x12345678123456781234567812345678 ip xfrm policy add dir out src <sip> dst 0::0/0 dev e101-049-0 proto ospf priority 2147483648 tmpl proto ah spi 0x401 mode transport level use ip xfrm policy add dir in src 0::0/0 dst 0::0/0 dev e101-049-0 proto ospf priority 2147483648 tmpl proto ah spi 0x401 mode transport level use One can notice that it needs four SA rules to achieve IPsec for single OSPF interface. Instead of these four rules, can we have a single rule with DIP as wild card mask and the xfrm state search as based on SPI ,family and proto alone? As of now, the API "__xfrm_state_lookup" search based on SPI,family,proto and dest_addr. Is there any way I can achieve the SA lookup without dest_addr and only with SPI,family and proto alone? Any help or pointers is greatly appreciated. Regards Bala
