Re: [Ipsec-tools-devel] Handling of initial contact broken for non-NAT-T case

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Tue, Aug 02, 2005 at 03:44:00PM +0200, VANHULLEBUS Yvan wrote:
> > 1.) Our client sends the INITIAL_CONTACT after finishing phase 1 of course.
> 
> Ok, but you said that "This happens in phase 1 when we don't know yet
> whether the peer wants to use NAT-T or not".

Yes, my fault. I should have written "at the beginning of phase 2".

> - Some (lots of ?) system administrators use the same identifier for
>   more than one remote peers....

Yes, indeed. The VPN setup of my previous employer used a well known
identified and pre-shared key for all VPN clients and completely relied
on XAuth for authentification.

> - Actually, IPSec SAs don't have any information about the IsakmpID
>   used to negociate them, and we just can't be sure that we still have
>   the ph1handle (or a more recent one) for the peer !

Yes, because the phase 1 assosiation's life time might be smaller than the
one of the SAs.

> Btw, I just commited a "first fix" on HEAD branck, which will only do
> a CMPSADDR if NAT-T support enabled AND if NAT have been detected, and
> which does a cmpsaddrwop() in other cases.

That fix works for me.

	Thanks a lot

-- 
Matthias Scheler				Phone:	+44 1223 200 648
Senior Software Developer			Fax:	+44 1223 200 641
Tadpole Computer Ltd.