[Openswan dev] traffic leak on openswan with Win7/Vista L2TP (fwd)

Paul Wouters paul at xelerance.com
Tue Nov 23 21:08:16 EST 2010

On Tue, 23 Nov 2010, Michael Richardson wrote:

> Installing the inbound SA after the outbound SA is wrong, I think.
> Ask DHR.   It's against the IKE state machine, I think.

Is it valid from an IKE/IPsec protocol point of view?

> I think that OpenL2TP should not use connect, or when there is a policy
> change, the kernel needs to go through and invalidate any cached routes
> associated with a socket.
> It seems like the SA should have been routed first (which would
> establish the policy beforehand), and the SA setup after.

Okay. So why wouldn't pluto be doing this? Perhaps there is a reason? Dhr?

>> Should we drop all the traffic on an incoming SA until the outbound SA
>> is fully established?
> I think that this is also wrong, particularly in the rekey states.

Ah yes!

> Is this for NETKEY only, or KLIPS or both?

We don't know (yet). I guess we need two test cases :)

I'll add more info once we have it at the bug report on:



More information about the Dev mailing list