[Openswan Users] initiate on demand different between 2.6.24 and 2.6.25+
Salih Goenuellue
sag at open.ch
Fri Apr 30 05:06:59 EDT 2010
Hi,
> Can you test experimental patch against current git reverting original
> acquire change and reverting my fix tries after that. It seem to make
> netkey work properly here.
>
> Patch is attached at bug #1087.
I Tested your patch. I have now the 2.6.25 behavior, this means:
Tunnel get established:
pluto[19927]: "net-net" #10: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {ESP=>0x98e84828 <0xded66bc0 xfrm=3
DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
However ONE policy (invalid) of the flow that initiated the tunnel shows
up. Any other communication will work ok.
For example if the tunnel is initiated by a ping from 192.168.211.10 to
192.168.215.10, the tunnel will get established but I will not see any
response to the pings HOWEVER I could ssh from 192.168.211.10 to
192.168.215.10. If however I started the tunnel by doing ssh from
192.168.211.10 to 192.168.215.10 it will not work but a ping will work.
From what I have seen a policy get inserted for the protocol of the
flow that initiated the tunnel, and when I delete this policy by hand
then everything works
Regards,
-salih
--
salih goenuellue
security engineer
open systems ag
raeffelstrasse 29
ch-8045 zurich
t +41 44 455 74 00
f +41 44 455 74 01
sag at open.ch
http://www.open.ch
More information about the Users
mailing list