Hi,
Looks like you are
confused. The ISAKMP-SA is the SA created for PHASE 1 . This SA is
used
to protect the PHASE 2 (quick mode) traffic and at
the end PHASE 2 IPSEC SAs are created.
Normally PHASE 1 SA database is maintained in
user space( assuming user/kernel space exist).
After PHASE 2 SAs are created, one normally create a PF_KEY socket and use it to write
the IPsec
SAs into the IPsec SAD (SA database). You are right in that PHASE1 SPI is the
concatination of
COOKIE of initiator and responder. Anyhow for
PHASE 2 SPI, any unique random number
generator can be used . Each PHASE 2 consists
of two IPsec SAs , inbound and outbound SA
with unique SPI.
The SPD ( SA
Policy Database) is configured
differently. Some use KEYNOTE mechanism. Other
have their own proprietary implementation. For SPD
you normally define the policy based on IPsec
selectors for traffic going out and coming in.
Cheers !
Suresh Singh
K.
|