RE: xfrm selector generating IKE

(off-list ancestor, not in this archive)
port bound SAs · Paul Moore <hidden> · 2009-01-26
Re: port bound SAs · David Miller <davem@davemloft.net> · 2009-01-27
Re: port bound SAs · Patrick McHardy <hidden> · 2009-01-27
RE: port bound SAs · Paul Moore <hidden> · 2009-01-27
Re: port bound SAs · Patrick McHardy <hidden> · 2009-01-27
RE: port bound SAs · Paul Moore <hidden> · 2009-01-27
Re: port bound SAs · Patrick McHardy <hidden> · 2009-01-27
RE: port bound SAs · Paul Moore <hidden> · 2009-01-27
Re: port bound SAs · David Miller <davem@davemloft.net> · 2009-01-27
RE: port bound SAs · Paul Moore <hidden> · 2009-01-27
Re: port bound SAs · Patrick McHardy <hidden> · 2009-01-27
RE: port bound SAs · Paul Moore <hidden> · 2009-01-27
Re: port bound SAs · Patrick McHardy <hidden> · 2009-01-27
RE: port bound SAs · Paul Moore <hidden> · 2009-01-27
Re: port bound SAs · Patrick McHardy <hidden> · 2009-01-27
RE: port bound SAs · Paul Moore <hidden> · 2009-01-28
Re: port bound SAs · Patrick McHardy <hidden> · 2009-01-28
RE: port bound SAs · Paul Moore <hidden> · 2009-01-28
Re: port bound SAs · Patrick McHardy <hidden> · 2009-01-28
RE: port bound SAs · Paul Moore <hidden> · 2009-01-28
Re: port bound SAs · Herbert Xu <herbert@gondor.apana.org.au> · 2009-01-30
xfrm selector generating IKE · Paul Moore <hidden> · 2009-02-24
Re: xfrm selector generating IKE · Herbert Xu <herbert@gondor.apana.org.au> · 2009-02-24
RE: xfrm selector generating IKE · Paul Moore <hidden> · 2009-02-24
Re: xfrm selector generating IKE · Herbert Xu <herbert@gondor.apana.org.au> · 2009-02-25
RE: xfrm selector generating IKE · Paul Moore <hidden> · 2009-02-25
Re: xfrm selector generating IKE · Herbert Xu <herbert@gondor.apana.org.au> · 2009-02-25
RE: xfrm selector generating IKE · Paul Moore <hidden> · 2009-02-25
Re: xfrm selector generating IKE · Herbert Xu <herbert@gondor.apana.org.au> · 2009-02-25
RE: port bound SAs · Paul Moore <hidden> · 2009-01-29
RE: port bound SAs · Paul Moore <hidden> · 2009-01-27

From: Paul Moore <hidden>
Date: 2009-02-25 02:30:44

could u suggest a numbering for my 4 rules - as I said , no combination
I have tried works

// for outbound connections
subnet -> subnet[21] out
subnet[21] -> subnet in
// for inbound connections
subnet[21] -> subnet out
subnet -> subnet[21] in

-----Original Message-----
From: Herbert Xu [mailto:herbert@gondor.apana.org.au] 
Sent: Tuesday, February 24, 2009 6:28 PM
To: Paul Moore
Cc: kaber@trash.net; davem@davemloft.net; netdev@vger.kernel.org
Subject: Re: xfrm selector generating IKE

On Tue, Feb 24, 2009 at 06:07:06PM -0800, Paul Moore wrote:

You seem to be saying that that if I explicitly set the policy reqids
that it should work. 

I had experimented with that a lot 

The problem is that I cannot find a good combination of reqids

It's very simple, you want each equivalent class of SAs (i.e.,
SAs where any one can replace the other) to be assigned a unique
reqid.

The Openswan algorithm simply assigns an ID to each policy (or
connection as it stores them internally), and then uses that ID
as the reqid.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} [off-list ref]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help