[Openswan dev] traffic leak on openswan with Win7/Vista L2TP (fwd)
Paul Wouters
paul at xelerance.com
Tue Nov 23 21:08:16 EST 2010
On Tue, 23 Nov 2010, Michael Richardson wrote:
> Installing the inbound SA after the outbound SA is wrong, I think.
> Ask DHR. It's against the IKE state machine, I think.
Is it valid from an IKE/IPsec protocol point of view?
> I think that OpenL2TP should not use connect, or when there is a policy
> change, the kernel needs to go through and invalidate any cached routes
> associated with a socket.
>
> It seems like the SA should have been routed first (which would
> establish the policy beforehand), and the SA setup after.
Okay. So why wouldn't pluto be doing this? Perhaps there is a reason? Dhr?
>> Should we drop all the traffic on an incoming SA until the outbound SA
>> is fully established?
>
> I think that this is also wrong, particularly in the rekey states.
Ah yes!
> Is this for NETKEY only, or KLIPS or both?
We don't know (yet). I guess we need two test cases :)
I'll add more info once we have it at the bug report on:
https://bugs.openswan.org/issues/1173#change-2434
Paul
More information about the Dev
mailing list