[Openswan Users] vpn connection after internet reconnect
Paul Wouters
paul at xelerance.com
Sun Nov 26 13:38:56 EST 2006
On Sat, 25 Nov 2006, Michael Richardson wrote:
> >>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
> >> No, just the laptop and no l2tp. It all works until the natbox
> >> changes its external IP. then the "right" hosts sees the packages
> >> coming from a wrong IP and drops them.
>
> Paul> Interesting. Michael, is there any reason to drop these? After
> Paul> all, we are just disgarding the ESPinUDP header, so why would
> Paul> we care if it came from another IP? It's just fancy wrapping
> Paul> paper. What we get after decapsulation is an ESP packet with a
> Paul> source IP of the orignal NAT'ed IP address, regardless what
> Paul> the NAT router's IP is.
>
> We shouldn't be dropping it... we should in fact be telling PLUTO
> about the new mapping.
>
> It's a hard test case to create, btw.
Is it? Can't "nic" just run NAT over the udp 4500 packets?
In any case, I'll file a bug report so we don't forget about this case.
Paul
More information about the Users
mailing list