[support] IPSec in NEMO BS with static keys
Sebastien Decugis
sdecugis at hongo.wide.ad.jp
Mon Aug 24 11:18:38 JST 2009
Hi,
Good to know that it works now :)
> Knowing that umip takes care of the SPD is very useful. I must have been
> confused as the guide here
> (http://member.wide.ad.jp/tr/wide-tr-nautilus6-configuring-ipsec-for-shisa-m
> ipl-00.pdf) uses some configuration files that add spd entries manually
> (using spdadd)
>
The SHISA stack is different from UMIP. In that case, one has actually
to insert the SPD entries by hand. But in the UMIP case, it is handled
by the daemon (not the SAD, though).
> Now that I am starting to find my way around sad and spd it seems that
> finding them using the requid is easier. It is very surprising that there
> isn't any documentation out there describing them...
>
It's quite a general issue in Linux, especially all XFRM-related things
(superset of IPsec)... :-s
> By the way what is the difference between an "in ipsec" and "fwd ipsec" in
> the spd? How would that operate differently from either the MR's or the HA's
> point of view?
>
The rules that are matched are different if the local host is an
endpoint of the packet or not. I don't exactly remember how the rules
are matched between IN, OUT and FWD. Simply put, a forwarded packet does
not go through IN then OUT rules. (I seem to remember it's FWD + OUT but
I am not sure at all!)
Signaling (example: BU, BA) will therefore match IN and OUT rules on the
MR and HA, while tunneled encapsulated traffic will match FWD rules.
That's the reason for having FWD rules in the case of NEMO, while
"simple" UMIP does not need this.
It's a quite tricky topic, probably because it's so difficult to find
documentation on this...
I hope this helps!
Best regards,
Sebastien.
>
>
More information about the Support
mailing list