IPSec IP range in Linux kernel

From: danila . st
Date: Mon Nov 07 2011 - 06:52:27 EST

Next message: Peter Zijlstra: "Re: [PATCH] perf_events: fix and improve x86 event scheduling"
Previous message: Eliad Peller: "Re: [PATCH 3/5] net/mac80211/debugfs.c: use kstrtoul, etc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello!

To begin with I'm from Russia. So I apologize in advance for the English from google translate. :)

Plus I had never had to deal with mailing lists. So do not kick me immediately if not written on the topic. But sincerely hope that the requested address.

Initially, I tried to write a letter directly to David Miller. He told me what to write and not directly to the mailing list. To what exactly I did not know why I write here.

I beg you take me seriously! The fact that the Russian people are not located in the most serious and mutual respect.

Now describe directly the problem itself. In our organization for the organization of IPSec encrypted connection used by devices such as Zyxel Zywall. Below is a diagram:

server (zywall)
192.168.1.0/24-----------------192.168.7.1-192.168.7.5 (client 1)
| |
| ------------------- 192.168.7.6-192.168.7.10 (client 2)
|
--------------------------- 192.168.7.11-192.168.7.15 (client 3)

Explanation of the scheme: at the head zywall prescribed set of IPSec connections. One feature of these rules is that all these compounds combine the main enterprise network 192.168.1.0/24 on the other subnet 192.168.7.0/24, broken into pieces, each of which contains a range of 5 are forwarding addresses.

Instead, head server, we decided to use a server running Linux. And immediately faced with the problem - the connection in Linux you can install only one address / subnet. Ability to connect to a range of addresses is not as such. As a result, the connection fails - fails at the stage of the harmonization of policies.

Therefore appeal to you. Tried to contact the Russian representative office zyxel. Clear answers are not received. Apparently they are not developers, just distributors. Tried to write on the forums. Received only a proposal to replace the range on the subnet. Maybe they're right, but the question arises, why this feature is implemented in devices company zyxel?

In general, writing to you with a rational proposal to help you add this feature in Linux. Well, and related issues:

1) Describe the table structure policies SADB, SPD? Where in the source code they describe?
2) Please explain IPSec device subsystem in Linux. Perhaps you have links to the appropriate literature, description, documentation?

P.S. I'd love to hear the answer himself and David Miller, as is its design.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Peter Zijlstra: "Re: [PATCH] perf_events: fix and improve x86 event scheduling"
Previous message: Eliad Peller: "Re: [PATCH 3/5] net/mac80211/debugfs.c: use kstrtoul, etc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]