From owner-freebsd-net@FreeBSD.ORG Fri Jul 27 06:46:29 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD7AC16A418 for ; Fri, 27 Jul 2007 06:46:29 +0000 (UTC) (envelope-from gnn@neville-neil.com) Received: from mrout2-b.corp.dcn.yahoo.com (mrout2-b.corp.dcn.yahoo.com [216.109.112.28]) by mx1.freebsd.org (Postfix) with ESMTP id 88C6913C458 for ; Fri, 27 Jul 2007 06:46:29 +0000 (UTC) (envelope-from gnn@neville-neil.com) Received: from unknown-10-101-133-146.yahoo.com.neville-neil.com (proxy8.corp.yahoo.com [216.145.48.13]) by mrout2-b.corp.dcn.yahoo.com (8.13.6/8.13.6/y.out) with ESMTP id l6R6a4vj003984; Thu, 26 Jul 2007 23:36:04 -0700 (PDT) Date: Fri, 27 Jul 2007 15:35:15 +0900 Message-ID: From: gnn@freebsd.org To: blue In-Reply-To: <46A81171.1040107@zyxel.com.tw> References: <46A81171.1040107@zyxel.com.tw> User-Agent: Wanderlust/2.15.5 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.7 Emacs/22.1 (i386-apple-darwin8.9.1) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: freebsd-net@freebsd.org Subject: Re: SADB_X_SPDFLUSH message handling for latest version of IPsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jul 2007 06:46:29 -0000 At Thu, 26 Jul 2007 11:13:53 +0800, blue wrote: > > Hi, all: > > Recently I found the behavior for the command "setkey -FP" is quite > different for the latest version IPsec (known as FAST_IPSEC before). > Before the command would erase all the existed SP entries; currently the > command would not. After digging the codes, I found the state of the SP > entries will be set as IPSEC_SPSTATE_DEAD, but the entries will not be > unlink from the SPD. Why needs to keep the entry in SPD? Is there any > special purpose? Without the removal, it's hard to tell whether the SP > entry still takes effect since "setkey -PD" will not show its status. On > the other hand, SA is like usual, once the "setkey -F" is typed in, the > SA entries will be erased right away. Can you give an example of this? On my test systems this works for me: dut2 ? cat /etc/ipsec.conf spdadd 10.0.0.1/32 10.0.0.2/32 any -P out ipsec esp/tunnel/10.0.0.1-10.0.0.2/require; spdadd 10.0.0.2/32 10.0.0.1/32 any -P in ipsec esp/tunnel/10.0.0.2-10.0.0.1/require; add 10.0.0.1 10.0.0.2 esp 0x1000 -E des-cbc 0x3ffe05014819ffff; dut2 ? setkey -f !$ setkey -f /etc/ipsec.conf dut2 ? setkey -DP 10.0.0.2[any] 10.0.0.1[any] any in ipsec esp/tunnel/10.0.0.2-10.0.0.1/require spid=13 seq=1 pid=72816 refcnt=1 10.0.0.1[any] 10.0.0.2[any] any out ipsec esp/tunnel/10.0.0.1-10.0.0.2/require spid=12 seq=0 pid=72816 refcnt=1 dut2 ? setkey -D 10.0.0.1 10.0.0.2 esp mode=any spi=4096(0x00001000) reqid=0(0x00000000) E: des-cbc 3ffe0501 4819ffff seq=0x00000000 replay=0 flags=0x00000040 state=mature created: Jul 22 23:10:07 2007 current: Jul 22 23:10:12 2007 diff: 5(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=72817 refcnt=1 dut2 ? setkey -FP dut2 ? setkey -DP No SPD entries. dut2 ? Best, George