0

What is the reason to using "require" instead of "use" for the setkey configuration that is used for racoon in Freebsd?

For example:

spdadd 169.254.1.2/30 169.254.1.1/30 any -P out ipsec esp/tunnel/45.45.45.45-11.11.11.11/use;

vs

spdadd 169.254.1.2/30 169.254.1.1/30 any -P out ipsec esp/tunnel/45.45.45.45-11.11.11.11/require;

Thank you for any guidance.

DPfiler
  • 1
  • 1

1 Answers1

0

From the setkey manual page (on linux):

level is to be one of the following: default, use, require, or unique. If the SA is not available in every level, the kernel will ask the key exchange daemon to establish a suitable SA. default means the kernel consults the system wide default for the protocol you specified, e.g. the esp_trans_deflev sysctl variable, when the kernel processes the packet. use means that the kernel uses an SA if it's available, otherwise the kernel keeps normal operation. require means SA is required whenever the kernel sends a packet matched with the policy.

wurtel
  • 3,864
  • 12
  • 15
  • Thank you wurtel. To clarify, USE level is used by the kernel to check if there is already a SA in place from earlier IKE negotiations? If this is correct, then if the SA is not available the kernel will tell IKE daemon to create a Security Association. If an SA already exists, then when the Security Associations need to be re-keyed/re-established the kernel, based on the USE level will check for the previously established SAs. REQUIRE level means that an SA should have already been established and expects it? – DPfiler Aug 14 '19 at 14:23
  • I believe so. I'm not sure of all the details myself :-) – wurtel Aug 14 '19 at 14:24