[pisa-src] Re: xfrm state

  • From: René Hummen <rene.hummen@xxxxxxxxxxxxxxxxx>
  • To: pisa-src@xxxxxxxxxxxxx
  • Date: Tue, 13 Mar 2012 15:20:31 +0100

Hi,

On 13.03.2012, at 15:03, samuel richter wrote:
> Hi,
> 
> 'something' is wrong here. Find the error in the output of "ip xfrm
> state" added as an attachment. 

With something, Samuel is hinting at multiple SA entries for the same host:

src 192.168.5.235 dst 192.168.5.117
        proto esp spi 0x9a816d41 reqid 0 mode beet
        replay-window 0 
        auth hmac(sha1) 0xaf5da888b5c0ce89846cd14f43d7f1d5281df606
        enc cbc(aes) 0x7ac6f59f68c3ea13bdee35b3c43ed427
        encap type espinudp sport 10500 dport 10500 addr 192.168.5.235
        sel src 2001:12:cdd7:14f2:d205:7930:3c2b:72a7/128 dst 
2001:1f:1af9:a1a5:fa70:1d54:41d6:6b48/128 
src 192.168.5.235 dst 192.168.5.117
        proto esp spi 0xf20aa8b3 reqid 0 mode beet
        replay-window 0 
        auth hmac(sha1) 0x7d1c5b57f743d9c9349391f89b936efb78f65075
        enc cbc(aes) 0x34c5b073a2ecea085ffeccc736d5ab31
        encap type espinudp sport 10500 dport 10500 addr 192.168.5.235
        sel src 2001:12:cdd7:14f2:d205:7930:3c2b:72a7/128 dst 
2001:1f:1af9:a1a5:fa70:1d54:41d6:6b48/128 
src 192.168.5.235 dst 192.168.5.117
        proto esp spi 0xc35343d0 reqid 0 mode beet
        replay-window 0 
        auth hmac(sha1) 0x48cc414f90fcf8fec45b2512b17ed382daf26dc2
        enc cbc(aes) 0xdeecc1bbf971e6767eb4e202f9adf063
        encap type espinudp sport 10500 dport 10500 addr 192.168.5.235
        sel src 2001:12:cdd7:14f2:d205:7930:3c2b:72a7/128 dst 
2001:1f:1af9:a1a5:fa70:1d54:41d6:6b48/128 

And the use of the same SPI number for multiple connections:

src 192.168.5.235 dst 192.168.5.127
        proto esp spi 0x9a816d41 reqid 0 mode beet
        replay-window 0 
        auth hmac(sha1) 0x77ed808ac9b91f61e71ecd36ce47c6cd435a0269
        enc cbc(aes) 0x8465ed1e3f159aeace30135a786418b6
        encap type espinudp sport 10500 dport 10500 addr 192.168.5.235
        sel src 2001:12:cdd7:14f2:d205:7930:3c2b:72a7/128 dst 
2001:1f:1af9:a1a5:fa70:1d54:41d6:6b48/128 
src 192.168.5.235 dst 192.168.5.126
        proto esp spi 0x9a816d41 reqid 0 mode beet
        replay-window 0 
        auth hmac(sha1) 0xf172bab2e2dbd56f3fce2c505d1883ad51be3373
        enc cbc(aes) 0x1f5955734a26eb06726312811673c5fe
        encap type espinudp sport 10500 dport 10500 addr 192.168.5.235
        sel src 2001:12:cdd7:14f2:d205:7930:3c2b:72a7/128 dst 
2001:1f:1af9:a1a5:fa70:1d54:41d6:6b48/128 
src 192.168.5.235 dst 192.168.5.119
        proto esp spi 0x9a816d41 reqid 0 mode beet
        replay-window 0 
        auth hmac(sha1) 0xf1005f700036d62c19856b7cd36c0be624804429
        enc cbc(aes) 0x20c8e614adf7694e443a294543419fa7
        encap type espinudp sport 10500 dport 10500 addr 192.168.5.235
        sel src 2001:12:cdd7:14f2:d205:7930:3c2b:72a7/128 dst 
2001:1f:1af9:a1a5:fa70:1d54:41d6:6b48/128 





--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 20772
web: http://www.comsys.rwth-aachen.de/team/rene-hummen/

Other related posts: