[Openswan Users] vpn connection after internet reconnect
Michael Richardson
mcr at xelerance.com
Sat Nov 25 23:08:22 EST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
>> No, just the laptop and no l2tp. It all works until the natbox
>> changes its external IP. then the "right" hosts sees the packages
>> coming from a wrong IP and drops them.
Paul> Interesting. Michael, is there any reason to drop these? After
Paul> all, we are just disgarding the ESPinUDP header, so why would
Paul> we care if it came from another IP? It's just fancy wrapping
Paul> paper. What we get after decapsulation is an ESP packet with a
Paul> source IP of the orignal NAT'ed IP address, regardless what
Paul> the NAT router's IP is.
We shouldn't be dropping it... we should in fact be telling PLUTO
about the new mapping.
It's a hard test case to create, btw.
- --
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBRWkTMoCLcPvd0N1lAQJqSwgAtcd90jYNkfK4ggLjjDNH/2OhhNIgoK2p
Njwf1SmKIYaBor+NyOzdH/+ZXEI6ejha4MS3mMfs2683vX1UIkoKe51XQ5683Xy+
q0rCaS+R/KWP4od1UJwxSMX9bt9pBLlZwMvB5VsdjnioRnINdToWzwdo/QSJeaxi
CF9ho6cQFeT3dC0c+7ZpqiAZcGQ3nh8whEq+brF9laH+8Ijmn2UhAP1GlCLEikeA
sZGxeNdNTGVnNmFGJXBO/YDc1F4gZaxJQ1+IHlNY0xDyiA3Qd4Z8Jaw4ft0Mb3zT
sfZXMdbUEB+XOzEV3HyJ6uaYl0IqCBdNNT15QIBoO1vQ23Qu5B8T8g==
=MdOH
-----END PGP SIGNATURE-----
More information about the Users
mailing list