On Fri, 20 May 2016, hongbowang(王洪波) wrote:
Subject: [Swan-dev] Dear libreswan, I NEED YOUR HELP!
note: it is better to be more descriptive in the subject because this subject: line looks like "spam".
dear libreswan: I want to remove the klips from kernel to user state. Here are some questions.Thank you!
I do not understand the question. Do you want to run ESP code in userland instead of in the kernel? Or do you just want the crypto keys and state from the kernel as readonly in userland? KLIPS allows you to see a lot of kernel state via /proc/net/ipsec/ Some tools shows the KLIPS state too, such as: ipsec eroute
1. why the sa is four?
there is the IPIP layer and the ESP layer. Both inbound and outbound.
2. which two sa is the ipsec sa not IKE sa in these four sa and what other two sa is use for ?
None of those are IKE SAs because IKE SA's are only inside the pluto daemon.
3. This code in function " setup_half_ipsec_sa ". what this key use for ? This enckey and authkey is the last encap key ? If it isn't , How does the last key produce using this key? why two sa have this key and have value ,but other two sa is NULL in previous picture?
The enckey is the IPsec encryption key and the IPsec authkey is the integrity (hash) key You can specify the enc key with tcpdump to let tcpdump decrypt the ESP traffic. In normal operation, these keys which were negotiated via IKE are send into the kernel (using PFKEY API when using KLIPS, or using netlink when using XFRM/NETKEY stack) so the kernel can encrypt/decrypt the ESP packets. Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
