Unique IPsec security policies
Jan Mikael Melen
jan at melen.org
Tue Oct 18 00:50:57 PDT 2005
Hi,
Is there a reason why the policies that are defined as unique can't be updated
through the pfkey interface?
What I'm trying to do is that:
1. I create SP entry and let the kernel assign a request id for policy (reqid
in the add is 0). This policy is a tunnel mode policy and I don't have the
outer addresses set at this point. Only the inner addresses are set so I'll
get the SADB_AQUIRE message with the inner addresses.
2. When my keying daemon get's the acquire from the kernel I run the key
exchange and then I send update to the SP with previously gotten reqid and
with outer addresses but it fails and kernel prints out:
"key_msg2sp: reqid=16384 range violation, updated by kernel."
This message comes from the sys/netkey/key.c:1488. It's obvious when I'm
adding a new SP entry that this check is done but when updating the SP
shouldn't it just check that the value given in update matches the one
assigned earlier?
Cheers,
Jan
More information about the freebsd-hackers
mailing list