Question about connect and ipsec

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Question about connect and ipsec
@ 2005-04-12 14:09 Bin Guo
  2005-04-13  3:50 ` Herbert Xu
  0 siblings, 1 reply; 2+ messages in thread
From: Bin Guo @ 2005-04-12 14:09 UTC (permalink / raw)
  To: netdev

Hi,

I'm running 2.6.11 IPSec where the esp tunnel endpoint is the default
gateway. During debugging, I found when there is no SA, plain arping
would fail (my policy is require for any<->my-adress):

	setkey -F
	arping -I eth1 9.9.9.1 # default-gateway=9.9.9.1
	connect: Resource temporarily unavailable
        #(racoon is trying to re-establish the tunnel here...)

but if you give arping source address, it's ok:

	setkey -F
	arping -I eth1 -s 9.9.9.238 9.9.9.1 # my-address=9.9.9.238
	ARPING 9.9.9.1 from 9.9.9.238 eth1
	Unicast reply from 9.9.9.1 [00:02:B3:5E:9E:13]  47.350ms

>From the source code of iputils/arping.c (and strace), when no source
address is provided, arping will do something like the following to
find proper local source address:

	int probe_fd = socket(AF_INET, SOCK_DGRAM);
	setsockopt(probe_fd, SOL_SOCKET, SO_BINDTODEVICE, ...);
	setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, &1, ...);
	connect(probe_fd, &dst, ...);
        getsockname(probe_fd, &src, ...);

The connect call seems to map directly to net/ipv4/datagram.c:
ip4_datagram_connect. Is it true that connect call on udp sockets
result in SA creation and temporary failure? Is it by design just
checking route to a destination protected ipsec will trigger SA
creation?

-- 
Bin

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Question about connect and ipsec
  2005-04-12 14:09 Question about connect and ipsec Bin Guo
@ 2005-04-13  3:50 ` Herbert Xu
  0 siblings, 0 replies; 2+ messages in thread
From: Herbert Xu @ 2005-04-13  3:50 UTC (permalink / raw)
  To: Bin Guo; +Cc: netdev, kaber

Bin Guo <bguo@bluesocket.com> wrote:
> 
> The connect call seems to map directly to net/ipv4/datagram.c:
> ip4_datagram_connect. Is it true that connect call on udp sockets
> result in SA creation and temporary failure? Is it by design just
> checking route to a destination protected ipsec will trigger SA
> creation?

It is a deficiency in the current implementation.  This problem
will be solved along with others in the xfrm resolution stuff that
Patrick McHardy is working on.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2005-04-13  3:50 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-12 14:09 Question about connect and ipsec Bin Guo
2005-04-13  3:50 ` Herbert Xu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).