Date: Tue, 18 Oct 2005 10:50:24 +0300 From: Jan Mikael Melen <jan@melen.org> To: freebsd-hackers@freebsd.org, freebsd-net@freebsd.org Subject: Unique IPsec security policies Message-ID: <200510181050.27530.jan@melen.org>
next in thread | raw e-mail | index | archive | help
Hi, Is there a reason why the policies that are defined as unique can't be updated through the pfkey interface? What I'm trying to do is that: 1. I create SP entry and let the kernel assign a request id for policy (reqid in the add is 0). This policy is a tunnel mode policy and I don't have the outer addresses set at this point. Only the inner addresses are set so I'll get the SADB_AQUIRE message with the inner addresses. 2. When my keying daemon get's the acquire from the kernel I run the key exchange and then I send update to the SP with previously gotten reqid and with outer addresses but it fails and kernel prints out: "key_msg2sp: reqid=16384 range violation, updated by kernel." This message comes from the sys/netkey/key.c:1488. It's obvious when I'm adding a new SP entry that this check is done but when updating the SP shouldn't it just check that the value given in update matches the one assigned earlier? Cheers, Jan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200510181050.27530.jan>