issue with outbound SA selection
Hi All,
I have a problem using SA with selectors based on <src IP>, <dest IP>
and <dst port> for outbound traffic.
I have written two out bound SA's for the same destination IP with
different destination port, but I am seeing
wrong SA has been selected for outbound traffic. My concern is why the
SA is not getting selected based on
ports mentioned security policy.
FYI..
content of file setkey.conf
/************************* start setkey.conf ************************/
flush;
spdflush;
add 172.16.8.36 172.16.8.38[*800]* esp 0x201 -m tunnel -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831
-A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 172.16.8.38[500] 172.16.8.36 esp 0x301 -m tunnel -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df
-A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;
add 172.16.8.36 172.16.8.38[*500] *esp 0x208 -m tunnel -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831
-A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;
# Security policies
spdadd 172.16.8.36 172.16.8.38[*800]* esp -P out ipsec
esp/tunnel/172.16.8.36-172.16.8.38/require;
spdadd 172.16.8.38[*800] *172.16.8.36 esp -P in ipsec
esp/tunnel/172.16.8.38-172.16.8.36/require;
/************************* end setkey.conf ************************/
*When a packet is sent to dest port 800 , SA which is getting selected
is 0x208[spi]
with dstport 500 instead of 0x201[spi] **with dstport 800 instead**.*
Please provide the criteria for outboud SA selection, please guide me
regarding this issue .
My Linux kernel version is 2.6.23.1-42.fc8
Thanks and Regards
Naveen
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)