<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>I think you want to use Opportunistic IPsec, eg see </div><div><br></div><div><a href="https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec">https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec</a></div><div><br></div><div>Note that IKEv2 also allows you to define one connection and instantiate a connection based on the trigger packet whose src/dst proto/port are included in the IKEv2 packet as traffic selectors. See RFC7296 and "narrowing".</div><div><br></div><div>Paul</div><div><br></div><div><br><div>Sent from my iPhone</div></div><div><br>On May 2, 2017, at 08:32, Sowmini Varadhan <<a href="mailto:sowmini.varadhan@oracle.com">sowmini.varadhan@oracle.com</a>> wrote:<br><br></div><blockquote type="cite"><div><span>I have a question about linux support for IPsec PFP (as defined in</span><br><span>rfc 4301). I am assuming this exists, and is accessible from uspace,</span><br><span>in which case I need some hints on how to set it up.</span><br><span></span><br><span>Assuming I have a server listening at port 5001 that I want to</span><br><span>secure via ipsec. Suppose I want to make sure that each TCP/UDP 5-tuple</span><br><span>sending packets to port 5001 gets its own SA.</span><br><span></span><br><span>RFC4301 has this:</span><br><span></span><br><span> - SPD-S: For traffic that is to be protected using IPsec, the</span><br><span> entry consists of the values of the selectors that apply to the</span><br><span> traffic to be protected via AH or ESP, controls on how to</span><br><span> create SAs based on these selectors, ...</span><br><span></span><br><span>and further down</span><br><span> If IPsec processing is specified for</span><br><span> an entry, a "populate from packet" (PFP) flag may be asserted for</span><br><span> one or more of the selectors in the SPD entry (Local IP address;</span><br><span> Remote IP address; Next Layer Protocol; and, depending on Next</span><br><span> Layer Protocol, Local port and Remote port, or ICMP type/code, or</span><br><span> Mobility Header type). If asserted for a given selector X, the</span><br><span> flag indicates that the SA to be created should take its value for</span><br><span> X from the value in the packet. Otherwise, the SA should take its</span><br><span> value(s) for X from the value(s) in the SPD entry.</span><br><span></span><br><span>A google search produces a discarded patch</span><br><span> <a href="http://marc.info/?l=linux-netdev&m=119746758904140">http://marc.info/?l=linux-netdev&m=119746758904140</a></span><br><span>but its not clear to me how to set this up (if PFP works fine,</span><br><span>as suggested by Herbert's response above)</span><br><span></span><br><span>I tried experimenting with IP_XFRM_POLICY from a simple udp client but</span><br><span>(a) that seems to require a SPI and reqid to set up the SPD </span><br><span>(b) I see the SADB_ACQUIRE upcall being triggered after the local port</span><br><span> is bound (and SADB entry is set up for the lport). But ike phase2</span><br><span> does not converge for the lport specific sadb added</span><br><span> by the bind (even in quick mode)</span><br><span></span><br><span>My understanding is that pluto shoud be generating spi's to make sure</span><br><span>they are sufficiently unique/random etc. so (a) makes me think I'm</span><br><span>either not setting this up or not using this correctly.</span><br><span></span><br><span>Any hints/sample code/RTFMs would be helpful (documentation for</span><br><span>IP_XFRM_POLICY seems scant, afaict). I'd be happy to share my </span><br><span>udp client program, if it can provide more context to my question.</span><br><span></span><br><span>--Sowmini</span><br><span></span><br><span>_______________________________________________</span><br><span>Swan mailing list</span><br><span><a href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a></span><br><span><a href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a></span><br></div></blockquote></body></html>