Hi Andreas, Thanx for the quick response, and for exposing me to the "ip xfrm" option. I like it a lot better than mixing ipsec-tools setkey with StrongSWAN.
As you suggested I would rather not having to manually touch the SPD/SAD. But I'm having a problem when pluto crashes it leaves behind entries in the kernel that may break further negotiation after pluto is restarted. More details were posted in: 1. http://www.mail-archive.com/[email protected]/msg02447.html 2. https://lists.strongswan.org/pipermail/users/2011-May/006236.html Is it known issue? Any ideas how to fix/recover? Thanx, - Ido -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Monday, May 30, 2011 1:00 PM To: [email protected] Subject: Dev Digest, Vol 16, Issue 5 Send Dev mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://lists.strongswan.org/mailman/listinfo/dev or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of Dev digest..." Today's Topics: 1. kernel SPD/SAD tool (Goshen, Ido (Ido)) 2. Re: kernel SPD/SAD tool (Andreas Steffen) ---------------------------------------------------------------------- Message: 1 Date: Mon, 30 May 2011 10:07:43 +0200 From: "Goshen, Ido (Ido)" <[email protected]> Subject: [strongSwan-dev] kernel SPD/SAD tool To: <[email protected]> Message-ID: <edc652a26fb23c4eb6384a4584434a04032bc...@307622anex5.global.avaya.com> Content-Type: text/plain; charset="us-ascii" Hi, Does StrongSWAN supply a shell tool like "setkey" from ipsec-tools to monitor and/or manipulate the kernel's SPD/SAD or it's all done programmatically via hydra (netlink plugin in my case)? Thanx, - Ido -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.strongswan.org/pipermail/dev/attachments/20110530/55a852a3/ attachment-0001.html ------------------------------ Message: 2 Date: Mon, 30 May 2011 11:50:21 +0200 From: Andreas Steffen <[email protected]> Subject: Re: [strongSwan-dev] kernel SPD/SAD tool To: "Goshen, Ido (Ido)" <[email protected]> Cc: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset=windows-1252; format=flowed Hi Ido, strongSwan manages the kernel SPD/SAD via the XFRM Netlink kernel interface. The built-in "ipsec statusall" command can be used to monitor the established IPsec SAs but if you want to see all the details you can also use "setkey" or "ip xfrm state|policy". If you manipulate SPD/SAD entries via "setkey" or "ip xfrm" then you are on your own since strongSwan will not be aware of any such changes. Regards Andreas On 05/30/2011 10:07 AM, Goshen, Ido (Ido) wrote: > Hi, > > Does StrongSWAN supply a shell tool like ?setkey? from ipsec-tools to > monitor and/or manipulate the kernel?s SPD/SAD or it?s all done > programmatically via hydra (netlink plugin in my case)? > > Thanx, > > -Ido > ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== ------------------------------ _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev End of Dev Digest, Vol 16, Issue 5 ********************************** _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
