Re: [Ipsec-tools-devel] CMPSADDR problem

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Wed, Mar 22, 2006 at 05:24:20AM -0500, T Sureshkumar wrote:
> hey,

Hi.

> The one issue I come across is when sending SIGHUP, it is not sending
> ipsec-spi delete message to peer, because it is not finding a right ph1
> handle.

Yep.

> Probably CMPSADDR macro is having problem. The compare function
> cmpsaddrstrict or wop is decided statically based on "#define
> ENABLE_NATT". But, the ipsec SA  port information is decided based on
> pr->udp_encap (pfkey.c). If not udp encapsulated, the ipsec SA port is
> set to 0. Whereas, cmpaddrstrict compares this SA port with ph1tree's
> port info, which is 500. This causes problem at few other places too.  
> 
> Anyone facing the same problem? Or am I missing something?  If so, I
> will work on a patch.

There is a synchronization problem between NetBSD's NAT-T support (the
most up to date) and Linux/FreeBSD NAT-T support (which don't include
latest modifs for multiple host behind the same address support).

Manu and I started to look at that, and we'll probably have to add
another CMPSADDR macro for cases where a strict match must be done if
"complete NAT-T support", but a wop match will be needed if "partial
NAT-T support" (where "partial" just means "no support for multiple
peers behind the same IP").

Yvan.