[Openswan Users] vpn connection after internet reconnect

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
    Paul> all, we are just disgarding the ESPinUDP header, so why would
    Paul> we care if it came from another IP? It's just fancy wrapping
    Paul> paper. What we get after decapsulation is an ESP packet with a
    Paul> source IP of the orignal NAT'ed IP address, regardless what
    Paul> the NAT router's IP is.

    >> We shouldn't be dropping it... we should in fact be telling PLUTO
    >> about the new mapping.
    >> 
    >> It's a hard test case to create, btw.

    Paul> Is it? Can't "nic" just run NAT over the udp 4500 packets?

  Yes, there are multiple tests that do that right now.
 
  But, is has to then change IP address.

  In a coordinated way with the rest of the testing
system. Specifically, it has to do so in a number of different
lock-steps with the existing NAT-T keepalives, such that the IKE-level
keepalive goes through on the old IP, while the first ESP/UDP packet
goes through on the new IP address.

  It's not impossible, but it is also not trivial.

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRWngQICLcPvd0N1lAQLCTAf/TCAvmOOcxP6FbwWAMWWYusR3ZUfmf9Eg
7vB+HQsxofN2dl1JX/HFh9X+qu12tcHTp9WmpoKyv1QgQMOF2OyXmwNMA5eoSx18
R/gaRBr3Sgn+eLTgGuPw7klpTp78ipbfpLyim4ueroUwE2c1v0X0WZugYR+bXk8+
ayskY5yMDABKwR8g1VfqOdqv2pqtf9VNfc+7KBiraBbrSg9WTQXkPXIYWQBsS0Za
0isRFXWhvnDx5uxL58nKqa4TkmvNLkKxsxSa7uz9PlcBB9hBbMlHHPe9DQEF5O8z
+IEK5xQq4WG/fu4SpnmRtIpLa1zXHnmgTFJnx8jJiZL7mV5exnZgDQ==
=2GQY
-----END PGP SIGNATURE-----