From owner-freebsd-net@FreeBSD.ORG Tue Oct 18 08:22:34 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D05916A420 for ; Tue, 18 Oct 2005 08:22:34 +0000 (GMT) (envelope-from yvan.vanhullebus@netasq.com) Received: from smtp.netasq.com (netasq.netasq.com [213.30.137.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0A8843D46 for ; Tue, 18 Oct 2005 08:22:33 +0000 (GMT) (envelope-from yvan.vanhullebus@netasq.com) Received: from [10.0.0.126] (unknown [10.0.0.4]) by smtp.netasq.com (Postfix) with ESMTP id C9E3D201BF for ; Tue, 18 Oct 2005 10:19:35 +0200 (CEST) Received: by yvan.netasq.int (Postfix, from userid 1000) id 20A7354A6; Tue, 18 Oct 2005 10:22:30 +0200 (CEST) Date: Tue, 18 Oct 2005 10:22:30 +0200 From: VANHULLEBUS Yvan To: freebsd-net@freebsd.org Message-ID: <20051018082230.GA61303@yvan.netasq.int> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200510181050.27530.jan@melen.org> User-Agent: All mail clients suck. This one just sucks less. Subject: Re: Unique IPsec security policies X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2005 08:22:34 -0000 On Tue, Oct 18, 2005 at 10:50:24AM +0300, Jan Mikael Melen wrote: > Hi, > > Is there a reason why the policies that are defined as unique can't be updated > through the pfkey interface? > > What I'm trying to do is that: > 1. I create SP entry and let the kernel assign a request id for policy (reqid > in the add is 0). This policy is a tunnel mode policy and I don't have the > outer addresses set at this point. Only the inner addresses are set so I'll > get the SADB_AQUIRE message with the inner addresses. Not sure I understood what you are exactly doing, and *why* you want to do that... > 2. When my keying daemon get's the acquire from the kernel I run the key > exchange and then I send update to the SP with previously gotten reqid and > with outer addresses but it fails and kernel prints out: > "key_msg2sp: reqid=16384 range violation, updated by kernel." > This message comes from the sys/netkey/key.c:1488. It's obvious when I'm > adding a new SP entry that this check is done but when updating the SP > shouldn't it just check that the value given in update matches the one > assigned earlier? Perhaps you should just force manual reqids < IPSEC_MANUAL_REQID_MAX when creating your SP entries. In one hand, you're right: when updating SP entries, it can make sense to just ensure that the reqid is the same. In the other hand, as you used some automatic values while creating the SP entry (so, in fact, as you said "I let the kernel do that stuff"), it can be logic to not allow you to do "some non common things" after, even if you want to update it.... Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com