Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 27 Jul 2007 15:35:15 +0900
From:      gnn@freebsd.org
To:        blue <susan.lan@zyxel.com.tw>
Cc:        freebsd-net@freebsd.org
Subject:   Re: SADB_X_SPDFLUSH message handling for latest version of IPsec
Message-ID:  <m2y7h21hi4.wl%gnn@neville-neil.com>
In-Reply-To: <46A81171.1040107@zyxel.com.tw>
References:  <46A81171.1040107@zyxel.com.tw>
next in thread | previous in thread | raw e-mail | index | archive | help 
At Thu, 26 Jul 2007 11:13:53 +0800,
blue wrote:
> 
> Hi, all:
> 
> Recently I found the behavior for the command "setkey -FP" is quite 
> different for the latest version IPsec (known as FAST_IPSEC before). 
> Before the command would erase all the existed SP entries; currently the 
> command would not. After digging the codes, I found the state of the SP 
> entries will be set as IPSEC_SPSTATE_DEAD, but the entries will not be 
> unlink from the SPD. Why needs to keep the entry in SPD? Is there any 
> special purpose? Without the removal, it's hard to tell whether the SP 
> entry still takes effect since "setkey -PD" will not show its status. On 
> the other hand, SA is like usual, once the "setkey -F" is typed in, the 
> SA entries will be erased right away.

Can you give an example of this?  On my test systems this works for
me:

dut2 ? cat /etc/ipsec.conf 
spdadd 10.0.0.1/32 10.0.0.2/32 any -P out ipsec esp/tunnel/10.0.0.1-10.0.0.2/require;
spdadd 10.0.0.2/32 10.0.0.1/32 any -P in ipsec esp/tunnel/10.0.0.2-10.0.0.1/require;
add 10.0.0.1 10.0.0.2 esp 0x1000 -E des-cbc 0x3ffe05014819ffff;
dut2 ? setkey -f !$
setkey -f /etc/ipsec.conf
dut2 ? setkey -DP
10.0.0.2[any] 10.0.0.1[any] any
        in ipsec
        esp/tunnel/10.0.0.2-10.0.0.1/require
        spid=13 seq=1 pid=72816
        refcnt=1
10.0.0.1[any] 10.0.0.2[any] any
        out ipsec
        esp/tunnel/10.0.0.1-10.0.0.2/require
        spid=12 seq=0 pid=72816
        refcnt=1
dut2 ? setkey -D
10.0.0.1 10.0.0.2 
        esp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
        E: des-cbc  3ffe0501 4819ffff
        seq=0x00000000 replay=0 flags=0x00000040 state=mature 
        created: Jul 22 23:10:07 2007   current: Jul 22 23:10:12 2007
        diff: 5(s)      hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=72817 refcnt=1
dut2 ? setkey -FP
dut2 ? setkey -DP
No SPD entries.
dut2 ? 

Best,
George

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m2y7h21hi4.wl%gnn>