[Openswan Users] vpn connection after internet reconnect

Michael Richardson mcr at sandelman.ottawa.on.ca
Sun Nov 26 13:43:15 EST 2006

Hash: SHA1

>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
    Paul> all, we are just disgarding the ESPinUDP header, so why would
    Paul> we care if it came from another IP? It's just fancy wrapping
    Paul> paper. What we get after decapsulation is an ESP packet with a
    Paul> source IP of the orignal NAT'ed IP address, regardless what
    Paul> the NAT router's IP is.

    >> We shouldn't be dropping it... we should in fact be telling PLUTO
    >> about the new mapping.
    >> It's a hard test case to create, btw.

    Paul> Is it? Can't "nic" just run NAT over the udp 4500 packets?

  Yes, there are multiple tests that do that right now.
  But, is has to then change IP address.

  In a coordinated way with the rest of the testing
system. Specifically, it has to do so in a number of different
lock-steps with the existing NAT-T keepalives, such that the IKE-level
keepalive goes through on the old IP, while the first ESP/UDP packet
goes through on the new IP address.

  It's not impossible, but it is also not trivial.

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys


More information about the Users mailing list