From owner-freebsd-bugs@FreeBSD.ORG  Tue Oct 27 11:14:48 2009
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 39117106568D
	for <freebsd-bugs@freebsd.org>; Tue, 27 Oct 2009 11:14:48 +0000 (UTC)
	(envelope-from naveen.bn@globaledgesoft.com)
Received: from gesmail.globaledgesoft.com (gesmail.globaledgesoft.com
	[203.76.137.4]) by mx1.freebsd.org (Postfix) with ESMTP id 8D01D8FC0C
	for <freebsd-bugs@freebsd.org>; Tue, 27 Oct 2009 11:14:47 +0000 (UTC)
Received: from naveen.globaledgesoft.com (unknown [172.16.8.36])
	by gesmail.globaledgesoft.com (Postfix) with ESMTP id 2A3F217B42E;
	Tue, 27 Oct 2009 16:44:46 +0530 (IST)
Message-ID: <4AE6D1B6.5080706@globaledgesoft.com>
Date: Tue, 27 Oct 2009 16:25:50 +0530
From: Naveen BN <naveen.bn@globaledgesoft.com>
User-Agent: Thunderbird 2.0.0.6 (X11/20070926)
MIME-Version: 1.0
To: freebsd <freebsd-bugs@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: ram <ramaswamy.bm@globaledgesoft.com>,
	"naveen.bn" <naveen.bn@globaledgesoft.com>,
	Chaitra Shankar <chaitra.shankar@globaledgesoft.com>
Subject: issue with outbound SA selection 
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2009 11:14:48 -0000

Hi All,

I have a problem using SA with selectors based on <src IP>, <dest IP> 
and <dst port>  for outbound traffic.
I have written two out bound SA's for the same destination IP with 
different destination port, but I am seeing
wrong SA has been selected for outbound traffic. My concern is why the 
SA is not getting selected based on
ports  mentioned security  policy.

FYI..
content of file setkey.conf
/************************* start setkey.conf ************************/
flush;
spdflush;

add 172.16.8.36 172.16.8.38[*800]* esp 0x201 -m tunnel -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831
-A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;

add 172.16.8.38[500] 172.16.8.36 esp 0x301 -m tunnel -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df
-A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;

add 172.16.8.36 172.16.8.38[*500] *esp 0x208 -m tunnel -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831
-A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;

# Security policies
spdadd 172.16.8.36 172.16.8.38[*800]* esp -P out ipsec
         esp/tunnel/172.16.8.36-172.16.8.38/require;

spdadd 172.16.8.38[*800] *172.16.8.36 esp  -P in ipsec
           esp/tunnel/172.16.8.38-172.16.8.36/require;
/************************* end setkey.conf ************************/


*When a packet is sent to dest port 800 , SA which is getting selected 
is  0x208[spi] 
with dstport 500 instead of 0x201[spi] **with dstport 800 instead**.*

Please provide the criteria for outboud SA selection, please guide me 
regarding this issue .
My Linux kernel version is 2.6.23.1-42.fc8

Thanks and Regards
Naveen