From owner-freebsd-hackers@FreeBSD.ORG Tue Oct 18 07:50:57 2005 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D4D716A421; Tue, 18 Oct 2005 07:50:57 +0000 (GMT) (envelope-from jan@melen.org) Received: from foxgw.melen.org (Savi-Mel.dna.fi [83.143.60.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFC1543D64; Tue, 18 Oct 2005 07:50:46 +0000 (GMT) (envelope-from jan@melen.org) Received: from [2001:14b8:400:101:208:74ff:fee4:decb] ([IPv6:2001:14b8:400:101:208:74ff:fee4:decb]) (authenticated bits=0) by foxgw.melen.org (8.13.4/8.13.4) with ESMTP id j9I7oWfV024775 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Tue, 18 Oct 2005 10:50:43 +0300 (EEST) (envelope-from jan@melen.org) From: Jan Mikael Melen To: freebsd-hackers@freebsd.org, freebsd-net@freebsd.org Date: Tue, 18 Oct 2005 10:50:24 +0300 User-Agent: KMail/1.8 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200510181050.27530.jan@melen.org> X-Virus-Scanned: ClamAV version 0.86.2, clamav-milter version 0.86 on foxgw.melen.org X-Virus-Status: Clean X-Mailman-Approved-At: Tue, 18 Oct 2005 12:19:17 +0000 Cc: Subject: Unique IPsec security policies X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2005 07:50:57 -0000 Hi, Is there a reason why the policies that are defined as unique can't be updated through the pfkey interface? What I'm trying to do is that: 1. I create SP entry and let the kernel assign a request id for policy (reqid in the add is 0). This policy is a tunnel mode policy and I don't have the outer addresses set at this point. Only the inner addresses are set so I'll get the SADB_AQUIRE message with the inner addresses. 2. When my keying daemon get's the acquire from the kernel I run the key exchange and then I send update to the SP with previously gotten reqid and with outer addresses but it fails and kernel prints out: "key_msg2sp: reqid=16384 range violation, updated by kernel." This message comes from the sys/netkey/key.c:1488. It's obvious when I'm adding a new SP entry that this check is done but when updating the SP shouldn't it just check that the value given in update matches the one assigned earlier? Cheers, Jan