linux-ipsec: can this work ?!

Thanks, Hugh, for that nice reply -- I _think_ I've found something that might work, for testing if little more, and I wanted to get a sanity check.

my description of the problem/goal is:
I'd like to spawn some process (even just a shell) -- with a particular SA for that process to apply to all the traffic from/to any process that were started in that shell -- so to attempt to do multi-user testing w/ a pair of linux machines.

Hugh's comments about using freeswan IPSEC and Pluto mirror discussions we're having here with our VPN products -- there are advantages and disadvantages to being either the "tail or the dog" in blazing our own trail or supporting freeswan's IPSEC and Pluto. one complication is that we already _have_ a tunneling router, and so some of our interface is already cast. fortunately not in stone.

back to my specific issue, for testing this router I'd like to kick off multiple sessions on a pair of linux workstations, each using different SAs.

the problem comes in identifying, down deep in the machine, _which_ SA to apply when it comes time to wrap the packet. current->pid seems to be the pid of the process sending the packets; (sometimes, as w/ FTP I see PIDs of 0 -- the kernel) -- does this seem a workable means to identify who's sending what most of the time? I'm going to play w/ it some more, but I'd appreciate comments from any of you net/kernel experts out there. what network activity happens from within the kernel?

• I want to visit as few places in the stack as possible. at worst, I'll have a test harness, that someday might grow into a full linux client capable of communicating with our intraport.

Thanks again,

Mark Pilon
Compatible Systems Received on Mon May 11 19:10:55 1998