2012-07-25 06:14:57

by Geanta Neag Horia Ioan-B05471

Subject: iproute2 - IPsec ESN support

Hello,

Is there any way to create an IPsec tunnel and indicate using
extended sequnce numbers?

It seems that currently iproute2 doesn't support this.
Grepping for "esn" reveals that XFRM_STATE_ESN shows only in kernel headers.

The only relevant thing I found was a RFC sent by Steffen (Cc-ed),
but it was never applied (don't know why):
[RFC] iproute2: Add IPsec extended sequence number support
http://patchwork.ozlabs.org/patch/85962/

Thank you,
Horia

2012-07-25 09:51:34

by Steffen Klassert

Subject: Re: iproute2 - IPsec ESN support

On Wed, Jul 25, 2012 at 06:14:52AM +0000, Geanta Neag Horia Ioan-B05471 wrote:
> Hello,
>
> Is there any way to create an IPsec tunnel and indicate using
> extended sequnce numbers?

The strongswan ike deamon supports extended sequnce numbers.

>
> It seems that currently iproute2 doesn't support this.
> Grepping for "esn" reveals that XFRM_STATE_ESN shows only in kernel headers.
>
> The only relevant thing I found was a RFC sent by Steffen (Cc-ed),
> but it was never applied (don't know why):
> [RFC] iproute2: Add IPsec extended sequence number support

I'll take this as a reminder to respin this patch.