tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: example of ipsecif and racoon?



Hi,

does https://www.netbsd.org/docs/network/ipsec/ help?

 - Hubert 


Am 27.09.2024 um 17:31 schrieb Andrew Cagney <andrew.cagney%gmail.com@localhost>:

Hi,

The ipsecif(4) manual page has the paragraph:

    The related security associates can be established by an IKE daemon such
    as racoon(8).  They can also be manipulated manually by setkey(8) with
    the -u option which sets a security policy's unique id.

I'm looking for an example showing how to do this with racoon(8).

For setkey(8), I found an example in ATF.  The the test first creates
the ipsec0 device (here I used commands lifted from ipsecif(4)):

fconfig ipsec0
ipsec0: flags=0xc051<UP,POINTOPOINT,RUNNING,LINK2,MULTICAST> mtu 1280
   tunnel inet 192.168.0.1 --> 192.168.0.2
   status: active
   inet6 fe80::ba27:ebff:fec5:b750%ipsec0/64 ->  flags 0 scopeid 0x4
   inet 172.16.100.1/32 -> 172.16.200.1 flags 0

which, in turn, creates the ipsec kernel policies (SPDs):

192.168.0.2[any] 192.168.0.1[any] 4(ipv4)
   in ipsec
   esp/transport//unique#16385
   spid=1 seq=3 pid=29608
   refcnt=0
et.al.

The ATF script then extracts the unique reqid (#16385 et.al.) from the
output and feeds that to `setkey -u` to create a matching kernel state
(SADBs).

For racoon(8), though, I'm at a loss. I'm hoping it uses an elegant
programmatic solution for obtaining the reqid but so far I've had no
luck finding it.  What I've come up with are:

- something like ioctl(ipsec0, SIOCGLIFPHYADDR)
but, looking at ifconfig, that doesn't seem to return the MSGID; and I
don't see any other code to either extract the value (or, for that
matter, force it as in `ifconfig ipsec0 msgid 100` say).

- monitoring pfkey for the addition of the policy
While I'm seeing:
 "west" #2:   sadb_msg @0 version=2 type=14(X_SPDADD) errno=0
satype=0(SATYPE_UNSPEC) len=88(11*8) reserved=0000 seq=0 pid=0
 "west" #2:     sadb_x_policy @16 len=24(3*8)
exttype=18(X_EXT_POLICY) type=2(POLICY_IPSEC) dir=1(DIR_INBOUND)
flags=0 id=5 reserved2=00000000
 "west" #2:     sadb_x_ipsecrequest @32 len=8(8*1)
proto=50(PROTO_ESP) mode=1(MODE_TRANSPORT) level=3(LEVEL_UNIQUE)
reqid=16389
I don't see anway, other than magic field matching, to tie this back
to iface0.  On other systems, the value of if_nametoindex(ipsec0) is
included vis:
 #define sadb_x_policy_reserved  sadb_x_policy_scope
 /* Policy with ifnet scope uses priority field to store ifindex */
 #define sadb_x_policy_ifindex   sadb_x_policy_priority

Any other pointers or suggestions?

Andrew


Home | Main Index | Thread Index | Old Index