[Openswan dev] more info on pfs failure previous message

Michael Richardson mcr at xelerance.com
Fri Mar 10 19:43:30 CET 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> If I run tcpdump on the openswan box's own interface, I see some
> packets with {src 500, dst 4500} and others with {src 4500, dst
> 4500}. As far as I can tell, the 500/4500 ones are IKE, and 4500/4500
> are payload (i.e. test pings)

Yes, the basically correct.
However, it is supposed to send 500/500 and 4500/4500.

Aggressive mode + NAT isn't well tested. That shouldn't matter re: the
pfkey issue, except that perhaps it confuses things.

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRBIdLYCLcPvd0N1lAQKylQgArf7HVofjPdI2Ocb1ulITXk02aZGm9qlw
aTSinYk1kuvac4JXMCYOpE43ViTjvK9m7ViB9GzEp3HvXrbFN21cHnb9ax7DtuUC
TVOg4B/9HzqkRs5iiGAmd7tVw8Ut0/rp3WAx1YAeKa8DWh/s5Z7N9cEcyZZ6egu2
LkSbZ9g4RdXvCv4p9vtVTPnwc0GdGJKQ89KELoChaKNn8fWu/XRlpJ9vIIMzO9xr
o7byNZBH/D22LHOxjIi08+x19Z50loBRmUdSjSRSvqaX7jzpJUQNFRYKQfIHTh+o
TOe81YFN63rtjkzUAapG6Vx5d0MunRglMvTOjXrTDVmj+P+B7umzHg==
=rHOJ
-----END PGP SIGNATURE-----


More information about the Dev mailing list