Unique IPsec security policies

Jan Mikael Melen jan at melen.org
Tue Oct 18 00:50:57 PDT 2005


Is there a reason why the policies that are defined as unique can't be updated 
through the pfkey interface?

What I'm trying to do is that:
1. I create SP entry and let the kernel assign a request id for policy (reqid 
in the add is 0). This policy is a tunnel mode policy and I don't have the 
outer addresses set at this point. Only the inner addresses are set so I'll 
get the SADB_AQUIRE message with the inner addresses. 

2. When my keying daemon get's the acquire from the kernel I run the key 
exchange and then I send update to the SP with previously gotten reqid and 
with outer addresses but it fails and kernel prints out:
"key_msg2sp: reqid=16384 range violation, updated by kernel." 
This message comes from the sys/netkey/key.c:1488. It's obvious when I'm 
adding a new SP entry that this check is done but when updating the SP 
shouldn't it just check that the value given in update matches the one 
assigned earlier?


More information about the freebsd-hackers mailing list