From: Matthias S. <mat...@ta...> - 2005-08-02 15:26:57
|
On Tue, Aug 02, 2005 at 03:44:00PM +0200, VANHULLEBUS Yvan wrote: > > 1.) Our client sends the INITIAL_CONTACT after finishing phase 1 of course. > > Ok, but you said that "This happens in phase 1 when we don't know yet > whether the peer wants to use NAT-T or not". Yes, my fault. I should have written "at the beginning of phase 2". > - Some (lots of ?) system administrators use the same identifier for > more than one remote peers.... Yes, indeed. The VPN setup of my previous employer used a well known identified and pre-shared key for all VPN clients and completely relied on XAuth for authentification. > - Actually, IPSec SAs don't have any information about the IsakmpID > used to negociate them, and we just can't be sure that we still have > the ph1handle (or a more recent one) for the peer ! Yes, because the phase 1 assosiation's life time might be smaller than the one of the SAs. > Btw, I just commited a "first fix" on HEAD branck, which will only do > a CMPSADDR if NAT-T support enabled AND if NAT have been detected, and > which does a cmpsaddrwop() in other cases. That fix works for me. Thanks a lot -- Matthias Scheler Phone: +44 1223 200 648 Senior Software Developer Fax: +44 1223 200 641 Tadpole Computer Ltd. |