RE: port bound SAs

(off-list ancestor, not in this archive)
port bound SAs · Paul Moore <hidden> · 2009-01-26
Re: port bound SAs · David Miller <davem@davemloft.net> · 2009-01-27
Re: port bound SAs · Patrick McHardy <hidden> · 2009-01-27
RE: port bound SAs · Paul Moore <hidden> · 2009-01-27
Re: port bound SAs · Patrick McHardy <hidden> · 2009-01-27
RE: port bound SAs · Paul Moore <hidden> · 2009-01-27
Re: port bound SAs · Patrick McHardy <hidden> · 2009-01-27
RE: port bound SAs · Paul Moore <hidden> · 2009-01-27
Re: port bound SAs · David Miller <davem@davemloft.net> · 2009-01-27
RE: port bound SAs · Paul Moore <hidden> · 2009-01-27
Re: port bound SAs · Patrick McHardy <hidden> · 2009-01-27
RE: port bound SAs · Paul Moore <hidden> · 2009-01-27
Re: port bound SAs · Patrick McHardy <hidden> · 2009-01-27
RE: port bound SAs · Paul Moore <hidden> · 2009-01-27
Re: port bound SAs · Patrick McHardy <hidden> · 2009-01-27
RE: port bound SAs · Paul Moore <hidden> · 2009-01-28
Re: port bound SAs · Patrick McHardy <hidden> · 2009-01-28
RE: port bound SAs · Paul Moore <hidden> · 2009-01-28
Re: port bound SAs · Patrick McHardy <hidden> · 2009-01-28
RE: port bound SAs · Paul Moore <hidden> · 2009-01-28
Re: port bound SAs · Herbert Xu <herbert@gondor.apana.org.au> · 2009-01-30
xfrm selector generating IKE · Paul Moore <hidden> · 2009-02-24
Re: xfrm selector generating IKE · Herbert Xu <herbert@gondor.apana.org.au> · 2009-02-24
RE: xfrm selector generating IKE · Paul Moore <hidden> · 2009-02-24
Re: xfrm selector generating IKE · Herbert Xu <herbert@gondor.apana.org.au> · 2009-02-25
RE: xfrm selector generating IKE · Paul Moore <hidden> · 2009-02-25
Re: xfrm selector generating IKE · Herbert Xu <herbert@gondor.apana.org.au> · 2009-02-25
RE: xfrm selector generating IKE · Paul Moore <hidden> · 2009-02-25
Re: xfrm selector generating IKE · Herbert Xu <herbert@gondor.apana.org.au> · 2009-02-25
RE: port bound SAs · Paul Moore <hidden> · 2009-01-29
RE: port bound SAs · Paul Moore <hidden> · 2009-01-27

From: Paul Moore <hidden>
Date: 2009-01-28 18:27:09

aha - so with racoon (which uses pfkey) I cannot make this work

This kind of seems broken - doesnt it? racoon is a very common IKE
daemon

So what IKE daemon should I be using on linux?

FYI

On solaris they do 2367 it differently (I know this because I am in the
middle of porting racoon to solaris)

the ACQUIRE message to user land has port selectors in it (linux does
not, and racoon accidentaly barfs if they are there)
the ADD and UPDATE messages from user land contain selectors and the
kernel expects them (racoon leaves them set randomly, fortunately Linux
pfkey throws them away)

This is why solaris does the right thing in terms of wire behavior. Its
selector code know about ports (using its own IKE daemon)

The simple solution is to stop the pfkey interface throwing the port
numbers away and then I can change racoon to send them (which I had to
do for solaris port)



-----Original Message-----
From: Patrick McHardy [mailto:kaber@trash.net] 
Sent: Wednesday, January 28, 2009 10:12 AM
To: Paul Moore
Cc: David Miller; netdev@vger.kernel.org
Subject: Re: port bound SAs

Paul Moore wrote:

So how do I get an SA with a port set on it

You don't, using pfkey. Use reqid or ip xfrm.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help