[Openswan dev] Openswan and Racoon interop issue in transport mode
Avesh Agarwal
avagarwa at redhat.com
Wed Nov 17 10:45:14 EST 2010
On 11/17/2010 10:33 AM, Paul Wouters wrote:
> On Mon, 8 Nov 2010, Avesh Agarwal wrote:
>
>> This is related to redhat bz 646718, which is related to interop
>> issue between Openswan and Racoon2 in transport mode. I have prepared
>> a patch (attached) to address this issue. The patch has been tested
>> by redhat QE. The patch specifically checks all received
>> notifications to determine the presence of USE_TRANSPORT_MODE as
>> there may be multiple notifications, and USE_TRANSPORT_MODE may be or
>> may not be the first one. I would appreciate your review/feedback,
>> and can rework the patch accordingly.
>
> Thanks Avesh. I merged it in.
>
> I looked at the IKEv2 RFC, and if we follow it properly, and take into
> account
> our setting of type= then I guess we should really deny transport mode
> when we
> receive USE_TRANSPORT_MODE but we have type=tunnel (the default).
> Currently, we
> seem to always switch to what the initiator wanted. Do you see a
> problem with
> me changing that?
>
> I will also have to takea closer look at the RFC to see what we should
> do with
> NAT-T+Transmode mode in IKEv2. I think the best solution there might
> also be
> to decline USE_TRANSPORT_MODE and remain in tunnel mode.
>
Hello Paul,
Thanks. Yes that is fine with me. As per RFC 4306:
"If the responder declines the request, the CHILD_SA will be established
in tunnel mode."
My intention was not to decline. But yes I understand your point, so the
change is fine with me.
Thanks and Regards
Avesh
> Paul
More information about the Dev
mailing list