[Swan-dev] Dear libreswan, I NEED YOUR HELP!

Paul Wouters paul at nohats.ca
Sat May 21 16:56:06 UTC 2016

On Fri, 20 May 2016, hongbowang(王洪波) wrote:

> Subject: [Swan-dev] Dear libreswan,  I NEED YOUR HELP!

note: it is better to be more descriptive in the subject because this
subject: line looks like "spam".

> dear libreswan:
>      I want to remove the klips from kernel to user state. Here are some questions.Thank you!

I do not understand the question. Do you want to run ESP code in
userland instead of in the kernel? Or do you just want the crypto keys
and state from the kernel as readonly in userland?

KLIPS allows you to see a lot of kernel state via /proc/net/ipsec/

Some tools shows the KLIPS state too, such as: ipsec eroute

> 1. why the sa is four?

there is the IPIP layer and the ESP layer. Both inbound and outbound.

> 2. which two sa is the ipsec sa not IKE sa in these four sa and what other two sa is use for ?

None of those are IKE SAs because IKE SA's are only inside the pluto

> 3. This code in function " setup_half_ipsec_sa ".  what this key use for ? This enckey and authkey is the last encap key ? If it isn't , How does the last key produce using this key? why
> two sa have this key and have value ,but other two sa is NULL in previous picture?

The enckey is the IPsec encryption key and the IPsec authkey is the
integrity (hash) key You can specify the enc key with tcpdump to let
tcpdump decrypt the ESP traffic. In normal operation, these keys which
were negotiated via IKE are send into the kernel (using PFKEY API when
using KLIPS, or using netlink when using XFRM/NETKEY stack) so the kernel
can encrypt/decrypt the ESP packets.


More information about the Swan-dev mailing list