From owner-freebsd-bugs@FreeBSD.ORG Fri Oct 16 09:37:20 2009 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 70498106568B for ; Fri, 16 Oct 2009 09:37:20 +0000 (UTC) (envelope-from naveen.bn@globaledgesoft.com) Received: from gesmail.globaledgesoft.com (gesmail.globaledgesoft.com [203.76.137.4]) by mx1.freebsd.org (Postfix) with ESMTP id E7CC08FC08 for ; Fri, 16 Oct 2009 09:37:18 +0000 (UTC) Received: from naveen.globaledgesoft.com (unknown [172.16.8.36]) by gesmail.globaledgesoft.com (Postfix) with ESMTP id E679017B429 for ; Fri, 16 Oct 2009 14:49:49 +0530 (IST) Message-ID: <4AD8367E.5080401@globaledgesoft.com> Date: Fri, 16 Oct 2009 14:31:50 +0530 From: Naveen BN User-Agent: Thunderbird 2.0.0.6 (X11/20070926) MIME-Version: 1.0 To: freebsd Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: problem creating ipsec tunnel mode policy X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Oct 2009 09:37:20 -0000 Hi All, I am using linux implemented ipsec layer . I am trying to create a tunnel mode policy using pf_key management API. Please find the below code for framing tunnel mode secured policy. I am not able to create a security policy . Please help me to resolve this issue. > INT32 ipsec_spd_add(INT32 dir, INT32 proto, INT32 level, INT8 * addr1, > UINT16 sPort, INT8 * addr2, UINT16 dPort, INT8 * > proxy_addr) { > INT8 *buf = NULL; > INT32 off = 0; > INT32 len = 0; > INT32 so = 0; > SEC_SOCKADDR_T sa1; > SEC_SOCKADDR_T sa2; > SEC_SOCKADDR_T proxy; > struct sadb_address *proxy_ext; > struct sadb_x_policy *policy; > struct sadb_x_ipsecrequest *req; > > /*Address1 */ > xmemset(&sa1, 0, sizeof(SEC_SOCKADDR_T)); > sa1.sin_family = OSA_PF_INET; > sa1.sin_port = htons(sPort); > /* it returns zero, if input is invalid */ > if (SEC_INET_ATON(addr1, &(sa1.sin_addr)) == 0) { > printf("invalid address\n"); > return IPSEC_ERROR; > } > > /*Address2 */ > xmemset(&sa2, 0, sizeof(SEC_SOCKADDR_T)); > sa2.sin_family = OSA_PF_INET; > sa2.sin_port = htons(dPort); > /* it returns zero, if input is invalid */ > if (SEC_INET_ATON(addr2, &(sa2.sin_addr)) == 0) { > printf("invalid address\n"); > return IPSEC_ERROR; > } > > /*Proxy */ > if (proxy_addr) { > xmemset(&proxy, 0, sizeof(SEC_SOCKADDR_T)); > proxy.sin_family = OSA_PF_INET; > proxy.sin_port = 0; > /* it returns zero, if input is invalid */ > if (SEC_INET_ATON(proxy_addr, &(proxy.sin_addr)) == 0) { > printf("invalid address\n"); > return IPSEC_ERROR; > } > } > //buf = (INT8 *)xcalloc(1,1024); > buf = xcalloc(1, 1024); > if (buf == NULL) { > printf("cant allocate enough memory\n"); > return IPSEC_ERROR; > } > xmemset(buf, 0, 1024); > if ((so = pfkey_open()) < 0) { > printf("pfkey_open() error\n"); > SEC_FREE(buf); > return IPSEC_ERROR; > } > > len = PFKEY_ALIGN8(sizeof(struct sadb_x_policy)); > > //policy = (struct sadb_x_policy *)&pbuf->buf[pbuf->off]; > policy = (struct sadb_x_policy *)&buf[off]; > xmemset(policy, 0, sizeof(*policy)); > policy->sadb_x_policy_len = PFKEY_UNIT64(len); > /* update later */ > policy->sadb_x_policy_exttype = SADB_X_EXT_POLICY; > policy->sadb_x_policy_type = IPSEC_POLICY_IPSEC; > policy->sadb_x_policy_dir = dir; //IPSEC_DIR_OUTBOUND; > > off += len; > > len = PFKEY_ALIGN8(sizeof(struct sadb_x_ipsecrequest)); > > req = (struct sadb_x_ipsecrequest *)&buf[off]; > xmemset(req, 0, sizeof(struct sadb_x_ipsecrequest)); > req->sadb_x_ipsecrequest_len = len; /* updated later */ > req->sadb_x_ipsecrequest_proto = proto; > req->sadb_x_ipsecrequest_mode =(proxy_addr == NULL ? > IPSEC_MODE_TRANSPORT > : IPSEC_MODE_TUNNEL); > req->sadb_x_ipsecrequest_level = level; > > off += len; > > if (proxy_addr) { > len=PFKEY_ALIGN8(sizeof(struct sadb_address)); > proxy_ext=(struct sadb_address*)&buf[off]; > xmemset(proxy_ext,0,sizeof(struct sadb_address)); > proxy_ext->sadb_address_len=PFKEY_UNIT64(len); > proxy_ext->sadb_address_exttype=SADB_EXT_ADDRESS_PROXY; > off +=len; > printf("\n ############ Filling proxy_addr message > ##########"); //len = PFKEY_ALIGN8(proxy->sa_len); > len = PFKEY_ALIGN8(sizeof(SA)); > xmemset(&buf[off], 0, len); > //xmemcpy(&pbuf->buf[pbuf->off], proxy, proxy->sa_len); > xmemcpy(&buf[off], &proxy, sizeof(SA)); > req->sadb_x_ipsecrequest_len += len; > off += len; > } > > policy->sadb_x_policy_len = PFKEY_UNIT64(off); > > if ((pfkey_send_spdadd(so, (SA *) & sa1, 32, (SA *) & sa2, 32, > 255, > (caddr_t) buf, off, 0)) < 0) { > printf("pfkey_send_spdadd() error\n"); > SEC_FREE(buf); > return IPSEC_ERROR; > } > free(buf); > return IPSEC_SUCCESS; > } Regards Naveen