On (05/02/17 11:33), Paul Wouters wrote:
>
> >If I used OE, I would *never* get a per-5-tuple SPI, right?
> >(I can give this a try later today but the rfc definition of OE is
> >not what I have in mind- I really want PFP, not OE).
>
> Right.
>
> Over the years I've received a number of requests
On Tue, 2 May 2017, Sowmini Varadhan wrote:
But I want each 5-tuple to/from 5001 to get its own SPI. That
is not happening in my case.
the problem I see with your approach is that you have a few options:
1) Setup a %trap policy using 1 conn per port combo.
This is kind of insane, but it woul
On (05/02/17 09:58), Paul Wouters wrote:
>I think you want to use Opportunistic IPsec, eg see
>https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec
I dont think that what I want is opportunistic ipsec..
taking an extreme example, I can set up the ipsec tunnels with
esp-null for *.5001
I think you want to use Opportunistic IPsec, eg see
https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec
Note that IKEv2 also allows you to define one connection and instantiate a
connection based on the trigger packet whose src/dst proto/port are included in
the IKEv2 packet as traffic sele
On Sun, Apr 30, 2017 at 11:19 PM, Paul Wouters wrote:
> On Sat, 29 Apr 2017, Muenz, Michael wrote:
>
>> but on the last command ipsec "import debian.p12" I get a:
>>
>> Enter password for PKCS12 file:
>> pk12util: PKCS12 IMPORT SUCCESSFUL
>> certutil: Could not find cert: NOC CA
>> : PR_FILE_NOT_F
I have a question about linux support for IPsec PFP (as defined in
rfc 4301). I am assuming this exists, and is accessible from uspace,
in which case I need some hints on how to set it up.
Assuming I have a server listening at port 5001 that I want to
secure via ipsec. Suppose I want to make sure
