Re: [Openswan Users] Re: KLIPS or NETKEY on 2.6 kernels
paul at xelerance.com
Mon Apr 25 20:07:29 CEST 2005
On Mon, 25 Apr 2005 mcr at xelerance.com wrote:
> Paul> Having done some debugging, it seems that the bug is not in
> Paul> the stack. I have run a successfull interop with compression
> Paul> enabled. However, there does seems to be an issue when
> Paul> changing phase1 from compression to no-compression or visa
> Paul> versa, and breaking the phase2. When switching, I had to
> Paul> completely tear down everything and restart both phase 1 and
> Paul> phase 2.
> I don't understand.
> You mean that you:
> a) have ipsec.conf conn "foo" with compress=yes
> b) "ipsec auto --add foo"
> c) "ipsec auto --up foo"
> d) edit ipsec.conf to change compress=no
> e) "ipsec auto --replace foo"
> f) "ipsce auto --up foo"
No, I have:
West: conn "foo" with compression=yes
East: conn "foo" with compression=no
>From west do: ipsec auto --up foo
This will bring up a conn with compression
Now on east do: ipsec auto --up foo
This will rekey the conn foo without compression, and packets are lost
Now on east run: ipsec auto --replace foo ; ipsec auto --up foo. Packets flow
now without compression.
> - --
> ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
> ] mcr @ xelerance.com Now doing IPsec training, see |net architect[
> ] http://www.sandelman.ca/mcr/ www.xelerance.com/training/ |device driver[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Finger me for keys
> -----END PGP SIGNATURE-----
More information about the Dev