[Openswan Users] vpn connection after internet reconnect
mcr at sandelman.ottawa.on.ca
Sun Nov 26 13:43:15 EST 2006
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
Paul> all, we are just disgarding the ESPinUDP header, so why would
Paul> we care if it came from another IP? It's just fancy wrapping
Paul> paper. What we get after decapsulation is an ESP packet with a
Paul> source IP of the orignal NAT'ed IP address, regardless what
Paul> the NAT router's IP is.
>> We shouldn't be dropping it... we should in fact be telling PLUTO
>> about the new mapping.
>> It's a hard test case to create, btw.
Paul> Is it? Can't "nic" just run NAT over the udp 4500 packets?
Yes, there are multiple tests that do that right now.
But, is has to then change IP address.
In a coordinated way with the rest of the testing
system. Specifically, it has to do so in a number of different
lock-steps with the existing NAT-T keepalives, such that the IKE-level
keepalive goes through on the old IP, while the first ESP/UDP packet
goes through on the new IP address.
It's not impossible, but it is also not trivial.
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Users