[redhat-lspp] using ah and esp protocols in ipsec
Paul Moore
paul.moore at hp.com
Tue Oct 17 12:45:22 UTC 2006
On Monday 16 October 2006 6:20 pm, Joy Latten wrote:
> Paul,
>
> When ipsec policy is specified as:
>
> spdadd 9.3.189.57 9.3.192.210 any
> -ctx 1 1 "system_u:object_r:passwd_t:s3"
> -P out ipsec
> esp/transport//require ah/transport//require;
>
> Since I specified both esp and ah protocols,
> racoon created 4 SAs, 2 for esp and 2 for AH.
> All four SAs created had the following security context:
> security context: root:sysadm_r:ping_t:s0-s15:c0.c1023
> (A ping resulted in the SAs being created.)
>
> Hope this helps. Let me know if there is anything else I
> can help with.
Hi Joy,
Thanks, yes that does help. However, I have another question for you if you
don't mind :)
What happens when you have multiple SAs for a packet and the contexts don't
match? Granted this is a common case but it should be possible. For
example, what happens when you use manual keying to create two SAs, one AH
and one ESP, with the same selectors but different contexts?
Does the first transform "win"? Or the "last"? Is there an error or warning
reported anywhere?
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list