Thanks for your answer! I see there is no easy way here to correct the problem. I guess we could live with that.
Regards, Emeric ----- Mail original ----- De: "Tobias Brunner" <[email protected]> À: "Emeric POUPON" <[email protected]>, [email protected] Envoyé: Mercredi 26 Novembre 2014 19:06:59 Objet: Re: [strongSwan-dev] pfkey interface: mode is not filled in sadb_getspi Hi Emeric, > Why is the mode not set here? With IKEv2 the resulting mode is not necessarily known to the initiator. For instance, an initiator might propose transport mode, the responder is then free to decline that. If it does tunnel mode will be used automatically (unless the initiator is not happy with it and deletes the SA). > Hopefully in FreeBSD the mode (part of the index of a SA) is ignored when > searching the previously created SA by sadb_getspi. No, that's exactly part of the problem. The mode is compared (unless the existing SA has it set to any). And it can't be changed with an SADB_UPDATE message, which is why the output of setkey still shows mode=any, even though the SADB_UPDATE message actually has the mode set. So to end up with an SA with the proper mode we'd have to delete the allocated SPI/SA and then install it like the outbound SA with SADB_ADD. I suppose we could do that but since the FreeBSD kernel doesn't care what mode an SA has set when handling inbound traffic (it is decapsulated automatically if the next header field in the ESP packet is set to IPIP/IPV6), we use the regular GETSPI/UPDATE scheme, which by the way results in the correct mode being set on Linux when PF_KEY is used there. Regards, Tobias _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
