Re: [Ipsec-tools-devel] racoon+NAT-T and racoon+debug+IPv6 not so happy?

To: Frank Kardel <kardel%netbsd.org@localhost>
Subject: Re: [Ipsec-tools-devel] racoon+NAT-T and racoon+debug+IPv6 not so happy?
From: VANHULLEBUS Yvan <vanhu%free.fr@localhost>
Date: Mon, 3 Nov 2008 15:04:13 +0100

On Sun, Nov 02, 2008 at 01:06:38AM +0100, Frank Kardel wrote:
> Hi,
> 
> when changing key_cmpsaidx_exactly to key_cmpsaidx_withmode in 
> netkey/key.c:key_getsah()
> negotiations work again. This change is inspired by the code found in 
> netipsec/key.c where
> key_getsah().
> 
> Caution: I have not deeply looked into the issue - thus this change be 
> be completely wrong, but it gives
> probably a hint at whats wrong.
> My rules refer to any protocol - so exact comparisons for specific 
> protocols probably don't match
> in the key_cmpsaidx_exactly function.

Yes, the problem is directly linked to the way ports are handled, and
they are somme isssues withe the actual way it's done.

Doing this change is probably not the good solution (you may get some
unwanted SAs, and I should have a look at the code to ensore you won't
also have some situations where you'll miss the right SA), and cheanup
of the whole stuff is in progress...

Yvan.

References:
- racoon+NAT-T and racoon+debug+IPv6 not so happy?
  - From: S.P.Zeidler
- Re: [Ipsec-tools-devel] racoon+NAT-T and racoon+debug+IPv6 not so happy?
  - From: VANHULLEBUS Yvan
- Re: [Ipsec-tools-devel] racoon+NAT-T and racoon+debug+IPv6 not so happy?
  - From: S.P.Zeidler
- Re: [Ipsec-tools-devel] racoon+NAT-T and racoon+debug+IPv6 not so happy?
  - From: Frank Kardel

Prev by Date: Re: Mutex error happen, after ioctl(CIOCFSESSION) for crypto(4)
Next by Date: Re: Building -current/netbsd-5 on Solaris: warning for tools/file
Previous by Thread: Re: [Ipsec-tools-devel] racoon+NAT-T and racoon+debug+IPv6 not so happy?
Next by Thread: Build failure - missing
Indexes:

Home | Main Index | Thread Index | Old Index