Re: [ipsec-next,0/7] : Support multiple VTIs with the same src+dst pair

Hi Lorenzo, I agree vti is very limiting! I am glad to hear about xfrmi. I saw two tunnels between gateways send traffic using VTI. So I am curious what is different in your case. Or are you dealing with something else? Here are a couple of outputs from libreswan testing this is the verbose

[PATCH] xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM)

copy geniv when cloning the xfrm state. x->geniv was not copied to the new state and migration would fail. xfrm_do_migrate .. xfrm_state_clone() .. .. esp_init_aead() crypto_alloc_aead() crypto_alloc_tfm() crypto_find_alg() return EAGAIN and failed Signed-off-by: Ant

[PATCH v2 1/2] xfrm: extend MIGRATE with UDP encapsulation port

UPDATE_SA message to migrate the IPsec SA. The change could be a change UDP encapsulation port, IP address, or both. Reported-by: Paul Wouters <pwout...@redhat.com> Signed-off-by: Antony Antony <ant...@phenome.org> Reviewed-by: Richard Guy Briggs <r...@tricolour.ca> --- include/n

[PATCH v2 2/2] xfrm: add UDP encapsulation port in migrate message

Add XFRMA_ENCAP, UDP encapsulation port, to km_migrate announcement to userland. Only add if XFRMA_ENCAP was in user migrate request. Signed-off-by: Antony Antony <ant...@phenome.org> Reviewed-by: Richard Guy Briggs <r...@tricolour.ca> --- Changes in v2: - fixed pfkey_

[PATCH 2/2] xfrm: add UDP encapsulation port in migrate message

Add XFRMA_ENCAP, UDP encapsulation port, to km_migrate announcement to userland. Only add if XFRMA_ENCAP was in user migrate request. Signed-off-by: Antony Antony <ant...@phenome.org> --- include/net/xfrm.h | 5 +++-- net/key/af_key.c | 3 ++- net/xfrm/xfrm_policy.c | 2 +- ne

[PATCH 0/2] add udp encapsulation port to xfrm_do_migrate

address, port, or both could change. With this patch xfrm_do_migrate will also support port change if necessary. Antony Antony (2): xfrm: extend MIGRATE with UDP encapsulation port xfrm: add UDP encapsulation port in migrate message include/net/xfrm.h | 11 +++ net/key/af_key.c

[PATCH 1/2] xfrm: extend MIGRATE with UDP encapsulation port

UPDATE_SA message to migrate the IPsec SA. The change could be a change UDP encapsulation port, IP address, or both. Reported-by: Paul Wouters <pwout...@redhat.com> Signed-off-by: Antony Antony <ant...@phenome.org> --- include/net/xfrm.h | 6 -- net/key/af_key.c | 2

[PATCH v2] xfrm: fix state migration copy replay sequence numbers

i=0xca1c282d,seq=0x1), length 136 IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d2), length 136 IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x2), length 136 Signed-off-by: Antony Antony <ant...@phenome.org> --- Changes in v2: -

[PATCH] xfrm: fix state migration replay sequence numbers

i=0xca1c282d,seq=0x1), length 136 IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d2), length 136 IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x2), length 136 The attached patch fix it by copying replay and preplay. regards, -antony