Menu
▾
▴
Re: [Ipsec-tools-devel] CMPSADDR problem
|
From: VANHULLEBUS Y. <va...@fr...> - 2006-03-22 12:22:25
|
On Wed, Mar 22, 2006 at 06:17:41AM -0500, T Sureshkumar wrote: > > Manu and I started to look at that, and we'll probably have to add > > another CMPSADDR macro for cases where a strict match must be done > if > > "complete NAT- T support", but a wop match will be needed if > "partial > > NAT- T support" (where "partial" just means "no support for > multiple > > peers behind the same IP"). > > The case which I am talking about is even in a simple peer to peer > without any NAT. The code is compiled with NATT support and I don't > have any NAT m/c in between. After SA's are established, at one end I > sent a SIGHUP and expected on the other end to receive a ipsec-sa delete > message. But I didn't. The important thing is "compiled with NAT-T support". > What I say is rather than a macro, we might need to write a inline > function which does a compare with/wop based also on > ph1->approval->udp_encap rather than only #ifdef ENABLE_NATT. Is that > correct? It could be a part of the solution. > I am not sure whether NetBSD already has a fix for this. NetBSD does more things on kernel about ports, and it probably solves at least some of the problems. I'll have to make a test configuration between all three implementations to see exactly how they deal with such problems. Yvan. |
