[Openswan dev] Re: [Openswan Users] Re: KLIPS or NETKEY on 2.6 kernels

Paul Wouters paul at xelerance.com
Mon Apr 25 20:07:29 CEST 2005

On Mon, 25 Apr 2005 mcr at xelerance.com wrote:

>    Paul> Having done some debugging, it seems that the bug is not in
>    Paul> the stack. I have run a successfull interop with compression
>    Paul> enabled.  However, there does seems to be an issue when
>    Paul> changing phase1 from compression to no-compression or visa
>    Paul> versa, and breaking the phase2. When switching, I had to
>    Paul> completely tear down everything and restart both phase 1 and
>    Paul> phase 2.
>  I don't understand.
>  You mean that you:
>      a) have ipsec.conf conn "foo" with compress=yes
>      b) "ipsec auto --add foo"
>      c) "ipsec auto --up foo"
>      d) edit ipsec.conf to change compress=no
>      e) "ipsec auto --replace foo"
>      f) "ipsce auto --up foo"

No, I have:

West: conn "foo" with compression=yes
East: conn "foo" with compression=no

>From west do: ipsec auto --up foo
This will bring up a conn with compression
Now on east do: ipsec auto --up foo
This will rekey the conn foo without compression, and packets are lost
Now on east run: ipsec auto --replace foo ; ipsec auto --up foo. Packets flow
  now without compression.


> - --
> ] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls  [
> ] mcr @ xelerance.com           Now doing IPsec training, see   |net architect[
> ] http://www.sandelman.ca/mcr/    www.xelerance.com/training/   |device driver[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Finger me for keys
> iQCVAwUBQm0foYqHRg3pndX9AQEoyQQA7Q5IH15DgVRfyjhGO6wKsXzj004OHfOl
> 3aT3BwBm3JZTvvcavZJc5o68H1GKnN5Q2GNxIQDAlgoUrKfECz4CgeAWkRZwN8gS
> /E2oBlD2kM0jSNFtFURQULEMuNPeM5YuLlX/cTjK7HZeqH/RYof9Q0r8eCNmt5Is
> MsgtK/z5U88=
> =DKzz

More information about the Dev mailing list