locked
WFP + IPsec Manual SA Keying RRS feed

  • Question

  • Hi,

       We are developing an IKEv2 application, which provides the necessary Security Association Keying Paramters to IPsec module.

     

    The below link provides the sample code for Manual SA Keying (  IPsec ( AH ) in Transport Mode )

        http://msdn2.microsoft.com/en-us/library/bb451820(VS.85).aspx 

     

    I would like to have an sample code for IPsec ( ESP ) in Tunnel Mode, where SA Keying will be done manually.

     

     

    In that direction, I followed below steps :

     

    1. Create Tunnel Mode Policy using  the function " FwpmIPsecTunnelAdd0( ) "

     

      In this function, what all paramters I should provide  for  tunnel  mode policy  ????

     

    Note:    The keying paramters will be obtained using my IKEv2 application.

     

     I tried out this option in one of the paramters,

     

     qmProvCtxt.type = FWPM_IPSEC_IKE_QM_TUNNEL_CONTEXT;

     

      Is this paramter valid wrt to my requirement ???

     

     

    2. Create Inbound SA

     

    filter.displayData.name = (PWSTR)FILTER_NAME;

    filter.numFilterConditions = 2;

    filter.action.type = FWP_ACTION_CALLOUT_TERMINATING;

    filter.flags = FWPM_FILTER_FLAG_NONE;

    filter.layerKey = FWPM_LAYER_INBOUND_TRANSPORT_V4;

    filter.action.calloutKey = FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4;

     

    filter.layerKey = FWPM_LAYER_OUTBOUND_TRANSPORT_V4;

    filter.action.calloutKey = FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4;

     

    The following filter with layer & callout Types are used for creating filters.   

     

    When the  " FwpmFilterAdd0( ) "  function is called, the following error has occured : 

     

    FWP_E_CONTEXT_INCOMPATIBLE_WITH_CALLOUT ( 0x8032002F )

     

     What are the  ( suitable / required )  provider / raw context types does this Callout Type ( expects / needs ) to be provided??

     

    3. Create Outbound SA

     

     

    AnyHelp in this regard is highly appreciated.

     

    Thanks,

    Kumar

                

    Wednesday, January 23, 2008 1:08 PM

Answers

  • Hi Kumar,

     

    Below is our guideline to implement manual SA keying --

     

    • Use the transport mode manual SA sample as the basis.
    • Instead of adding the inbound & outbound transport layer filter directly, use FwpmIPsecTunnelAdd0() instead. This is a helper function to add all the filters required for tunnel mode.
    • Call FwpmProviderContextGetByKey0() to get the provider context ID of the quick mode provider context. Use the key that was specified in the providerContextKey member of the tunnelPolicy parameter of the FwpmIPsecTunnelAdd0 function.
    • For the ‘ipsecFilterID’ to be specified when calling IPsecSaContextCreate0() & IPsecSaContextGetSpi0(), use the quick mode provider context ID instead.
    • Use FwpmIPsecTunnelDeleteByKey0() to cleanup the policy added as part of FwpmIPsecTunnelAdd0().

    Hope this helps,

    Biao.W.

    Tuesday, January 29, 2008 11:01 PM

All replies

  • Hi Kumar,

     

    Below is our guideline to implement manual SA keying --

     

    • Use the transport mode manual SA sample as the basis.
    • Instead of adding the inbound & outbound transport layer filter directly, use FwpmIPsecTunnelAdd0() instead. This is a helper function to add all the filters required for tunnel mode.
    • Call FwpmProviderContextGetByKey0() to get the provider context ID of the quick mode provider context. Use the key that was specified in the providerContextKey member of the tunnelPolicy parameter of the FwpmIPsecTunnelAdd0 function.
    • For the ‘ipsecFilterID’ to be specified when calling IPsecSaContextCreate0() & IPsecSaContextGetSpi0(), use the quick mode provider context ID instead.
    • Use FwpmIPsecTunnelDeleteByKey0() to cleanup the policy added as part of FwpmIPsecTunnelAdd0().

    Hope this helps,

    Biao.W.

    Tuesday, January 29, 2008 11:01 PM
  • Dear Kumar,

    Did you have success with this? I have been trying to do something similar (though not IKE2) for a couple of days. Not having a complete example makes it pretty hard to know if I'm heading in the the right direction.

    Currently, I'm not sure what type I should use in the quick mode context as you asked:

    e.g.

    FWPM_PROVIDER_CONTEXT0 qmProvCtxt;

    memset(&qmProvCtxt, 0, sizeof(qmProvCtxt));
    qmProvCtxt.displayData.name = (PWSTR) filterName;
    qmProvCtxt.providerKey = (GUID*)providerKey;
    qmProvCtxt.type = FWPM_IPSEC_IKE_QM_TUNNEL_CONTEXT; <-------- ** What should this be set to for a manually keyed tunnel? **

    I am using FwpmIPSecTunnelAdd0 as suggested by Biao, with no errors. Did you do it this way too?

    And I'm also having trouble with IPsecSaContextCreate0 and IPsecSaContextGetSpi0, as if I use the provider context id (as suggested by Biao) as the filter ID I get FWP_E_FILTER_NOT_FOUND 0x80320003...

    Did you successfully follow these guidelines? Any hints or snippets or steps would be very much appreciated. 

    Thanks 

    Stuart[at]stupot[dot]net
    Tuesday, July 21, 2009 10:45 AM
  • Dear Bao

    Any ideas regarding my question below?

    Thanks.

    Stuart.
    Wednesday, August 5, 2009 9:51 AM
  • Hi Kumar,

    Could you able to establish tunnel with above suggestion, I tried steps, but not able to establish tunnel.

    Thanks,

    Raghav

    Friday, October 18, 2019 5:59 AM