From owner-freebsd-security@FreeBSD.ORG Tue Oct 27 11:37:20 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11095106566C for ; Tue, 27 Oct 2009 11:37:20 +0000 (UTC) (envelope-from naveen.bn@globaledgesoft.com) Received: from gesmail.globaledgesoft.com (gesmail.globaledgesoft.com [203.76.137.4]) by mx1.freebsd.org (Postfix) with ESMTP id 4E8948FC08 for ; Tue, 27 Oct 2009 11:37:18 +0000 (UTC) Received: from naveen.globaledgesoft.com (unknown [172.16.8.36]) by gesmail.globaledgesoft.com (Postfix) with ESMTP id AB33F17B431; Tue, 27 Oct 2009 16:48:02 +0530 (IST) Message-ID: <4AE6D27A.8060700@globaledgesoft.com> Date: Tue, 27 Oct 2009 16:29:06 +0530 From: Naveen BN User-Agent: Thunderbird 2.0.0.6 (X11/20070926) MIME-Version: 1.0 To: freebsd-security Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: ram , "naveen.bn" , Chaitra Shankar Subject: issue with outbound SA selection X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Oct 2009 11:37:20 -0000 Hi All, I have a problem using SA with selectors based on , and for outbound traffic. I have written two out bound SA's for the same destination IP with different destination port, but I am seeing wrong SA has been selected for outbound traffic. My concern is why the SA is not getting selected based on ports mentioned security policy. FYI.. content of file setkey.conf /************************* start setkey.conf ************************/ flush; spdflush; add 172.16.8.36 172.16.8.38[*800]* esp 0x201 -m tunnel -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; add 172.16.8.38[500] 172.16.8.36 esp 0x301 -m tunnel -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b; add 172.16.8.36 172.16.8.38[*500] *esp 0x208 -m tunnel -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; # Security policies spdadd 172.16.8.36 172.16.8.38[*800]* esp -P out ipsec esp/tunnel/172.16.8.36-172.16.8.38/require; spdadd 172.16.8.38[*800] *172.16.8.36 esp -P in ipsec esp/tunnel/172.16.8.38-172.16.8.36/require; /************************* end setkey.conf ************************/ *When a packet is sent to dest port 800 , SA which is getting selected is 0x208[spi] with dstport 500 instead of 0x201[spi] **with dstport 800 instead**.* Please provide the criteria for outboud SA selection, please guide me regarding this issue . My Linux kernel version is 2.6.23.1-42.fc8 Thanks and Regards Naveen From owner-freebsd-security@FreeBSD.ORG Tue Oct 27 13:35:08 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 93B68106566B for ; Tue, 27 Oct 2009 13:35:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4D3C68FC16 for ; Tue, 27 Oct 2009 13:35:08 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id EBDEF41C70C; Tue, 27 Oct 2009 14:35:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id sSFdXGWLLroX; Tue, 27 Oct 2009 14:35:06 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 3A43F41C711; Tue, 27 Oct 2009 14:35:06 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id CEC134448E6; Tue, 27 Oct 2009 13:33:47 +0000 (UTC) Date: Tue, 27 Oct 2009 13:33:47 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Naveen BN In-Reply-To: <4AE6D27A.8060700@globaledgesoft.com> Message-ID: <20091027133313.W91695@maildrop.int.zabbadoz.net> References: <4AE6D27A.8060700@globaledgesoft.com> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security , Chaitra Shankar , ram Subject: Re: issue with outbound SA selection X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Oct 2009 13:35:08 -0000 On Tue, 27 Oct 2009, Naveen BN wrote: Hi, let me copy & paste what I rpelied on bugs@ already. > My Linux kernel version is 2.6.23.1-42.fc8 Unfortunately this is not a linux but a FreeBSD mailing list. If your issue is with a FreeBSD kernel we can certainly help, if you are running a linux kernel I'd try the linux-ipsec list, which no longer seems to exist? A good fallback might be linux-net or linux-netdev or a similar list. Good luck there. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing.