@jimp:
The IPsec status check is all in diag_ipsec.php I thought.
What it was supposed to check was for the presence of both a p1 and matching p2. I suppose transport mode is just slightly different enough that the current checks don't let it line up.
You're right. It's definitely the ipsec_phase2_status call in diag_ipsec.php that returns false, and the ipsec_phase2_status implementation in /etc/inc/ipsec.inc isn't matching the output from setkey. The two SPs I currently have looks like this:
77.105.xxx.yyy 24.23.xxx.yyy gre
in ipsec
esp/transport//require
spid=36 seq=3 pid=22013
refcnt=1
24.23.xxx.yyy 77.105.xxx.yyy gre
out ipsec
esp/transport//require
spid=35 seq=0 pid=22013
refcnt=1
(substitute gre for any if not using the "Cisco compatibility")
There are no square brackets at all on the address line in transport mode, which definitely confuses the current code.
The corresponding SAs looks like this:
24.23.xxx.yyy 77.105.xxx.yyy
esp mode=any spi=1965845(0x001dff15) reqid=0(0x00000000)
E: blowfish-cbc zzzz
A: hmac-sha256 zzzz
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Aug 27 15:32:04 2012 current: Aug 27 15:35:28 2012
diff: 204(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=43976 refcnt=1
77.105.xxx.yyy 24.23.xxx.yyy
esp mode=transport spi=173094859(0x0a5137cb) reqid=0(0x00000000)
E: blowfish-cbc zzzz
A: hmac-sha256 zzzz
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Aug 27 15:32:04 2012 current: Aug 27 15:35:28 2012
diff: 204(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=43976 refcnt=1
I'll dig into the ipsec.inc code some more to see if there could be an easy fix to allow the code to match the correct data for transport mode.
/wj
