creating an IPsec SA with ports specified

Hello,

I am not able to create an IPsec SA with ports specified.
I've been successful neither with setkey nor programmatically using PF_KEY
messages.

I use linux (kernel 2.6.13)

1) setkey (using version 0.6.4)
add 10.0.11.41[2365] 10.0.11.33[2416] esp 0x10001
-E des-cbc 0x3ffe05014819ffff
-A hmac-md5 "authentication!!";

2) PF_KEY messages
I've set protocol to UDP
And src and dst address populated with ports.

However dumping setkey -Dp, still shows ports zero

10.0.0.11.41[0] 10.0.11.33[0]
esp mode=transport spi=65537(0x00010001) reqid=0(0x00000000)
E: des-cbc 3ffe0501 4819ffff
A: hmac-md5 61757468 656e7469 63617469 6f6e2121
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Dec 19 10:18:07 2005 current: Dec 19 10:42:02 2005
diff: 1435(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=6581 refcnt=0

What am I doing wrong? Or is there an bug?

Jirka

Jiri Klimes <klimes@centrum.cz> writes:

> Hello,
>
> I am not able to create an IPsec SA with ports specified.
> I've been successful neither with setkey nor programmatically using PF_KEY
> messages.
>
> I use linux (kernel 2.6.13)
>
> 1) setkey (using version 0.6.4)
> add 10.0.11.41[2365] 10.0.11.33[2416] esp 0x10001
> -E des-cbc 0x3ffe05014819ffff
> -A hmac-md5 "authentication!!";

What do you want exactly to do by setting up ports ?

If you want to protect traffic for only some ports, then this must be
done in the SPD, not in the SAs.

If you really want to create static SAs to use UDP encapsulation on
ports 2365 -> 2416, then my next question will be "do you really hope
such configuration will work ????"....


Yvan.

VANHULLEBUS Yvan wrote:

> Jiri Klimes <klimes@centrum.cz> writes:
>
>> Hello,
>>
>> I am not able to create an IPsec SA with ports specified.
>> I've been successful neither with setkey nor programmatically using
>> PF_KEY messages.
>>
>> I use linux (kernel 2.6.13)
>>
>> 1) setkey (using version 0.6.4)
>> add 10.0.11.41[2365] 10.0.11.33[2416] esp 0x10001
>> -E des-cbc 0x3ffe05014819ffff
>> -A hmac-md5 "authentication!!";
>
> What do you want exactly to do by setting up ports ?
>

I want to have several SAs which differs in ports.
So the ports are used as selectors passed through SPD.

By the way, it's posssible to fill ports in SA on Solaris.
(Then the SA is marked as unique)


> If you want to protect traffic for only some ports, then this must be
> done in the SPD, not in the SAs.
>

Of course.
But as I say above, I want to use different SA for different ports.

> If you really want to create static SAs to use UDP encapsulation on
> ports 2365 -> 2416, then my next question will be "do you really hope
> such configuration will work ????"....
>

don't know

Jirka

Jiri Klimes <klimes@centrum.cz> writes:

> VANHULLEBUS Yvan wrote:
[....]
> > What do you want exactly to do by setting up ports ?
> >
>
> I want to have several SAs which differs in ports.
> So the ports are used as selectors passed through SPD.
>
> By the way, it's posssible to fill ports in SA on Solaris.
> (Then the SA is marked as unique)

Ok.

Specify your ports only in the SPD, and declare your SPDs entries as
"unique" instead of "require".

The set up your SAs, without port specification, but with the same
reqid as the corresponding SPD entry.



Yvan.