Hi,
The ipsecif(4) manual page has the paragraph:
The related security associates can be established by an IKE daemon such
as racoon(8). They can also be manipulated manually by setkey(8) with
the -u option which sets a security policy's unique id.
I'm looking for an example showing how to do this with racoon(8).
For setkey(8), I found an example in ATF. The the test first creates
the ipsec0 device (here I used commands lifted from ipsecif(4)):
fconfig ipsec0
ipsec0: flags=0xc051<UP,POINTOPOINT,RUNNING,LINK2,MULTICAST> mtu 1280
tunnel inet 192.168.0.1 --> 192.168.0.2
status: active
inet6 fe80::ba27:ebff:fec5:b750%ipsec0/64 -> flags 0 scopeid 0x4
inet 172.16.100.1/32 -> 172.16.200.1 flags 0
which, in turn, creates the ipsec kernel policies (SPDs):
192.168.0.2[any] 192.168.0.1[any] 4(ipv4)
in ipsec
esp/transport//unique#16385
spid=1 seq=3 pid=29608
refcnt=0
et.al.
The ATF script then extracts the unique reqid (#16385 et.al.) from the
output and feeds that to `setkey -u` to create a matching kernel state
(SADBs).
For racoon(8), though, I'm at a loss. I'm hoping it uses an elegant
programmatic solution for obtaining the reqid but so far I've had no
luck finding it. What I've come up with are:
- something like ioctl(ipsec0, SIOCGLIFPHYADDR)
but, looking at ifconfig, that doesn't seem to return the MSGID; and I
don't see any other code to either extract the value (or, for that
matter, force it as in `ifconfig ipsec0 msgid 100` say).
- monitoring pfkey for the addition of the policy
While I'm seeing:
"west" #2: sadb_msg @0 version=2 type=14(X_SPDADD) errno=0
satype=0(SATYPE_UNSPEC) len=88(11*8) reserved=0000 seq=0 pid=0
"west" #2: sadb_x_policy @16 len=24(3*8)
exttype=18(X_EXT_POLICY) type=2(POLICY_IPSEC) dir=1(DIR_INBOUND)
flags=0 id=5 reserved2=00000000
"west" #2: sadb_x_ipsecrequest @32 len=8(8*1)
proto=50(PROTO_ESP) mode=1(MODE_TRANSPORT) level=3(LEVEL_UNIQUE)
reqid=16389
I don't see anway, other than magic field matching, to tie this back
to iface0. On other systems, the value of if_nametoindex(ipsec0) is
included vis:
#define sadb_x_policy_reserved sadb_x_policy_scope
/* Policy with ifnet scope uses priority field to store ifindex */
#define sadb_x_policy_ifindex sadb_x_policy_priority
Any other pointers or suggestions?
Andrew