From: VANHULLEBUS Y. <va...@fr...> - 2005-08-11 07:26:15
|
On Wed, Aug 10, 2005 at 02:21:09PM -0400, uri...@op... wrote: > > > Do you really have SAs with differents local IP, same remote IP, and > > related to different peers ??????? > > Of course!! Different SA's to provide different cryptographic > parameters for different applications on the same hosts. I'm doing > this all the time (e.g. running a timing test for one UDP > application with very specific IPsec parameters, and "normal" stuff > for everything else). Well, in fact, the answer is just "Transport mode".... I have the same kind of configurations as you describe, but in tunnel mode, so, when you look at the SAs, you always see the same tunnel endpoints... > > Can you give us more informations about your configuration ??? > > Try this: two applications each requiring certain config of auth, > encr algorithms, plus the rest of the traffic that requires a > "standard" config (that differs from the two above). It would > translate into 3 SA's in each directions, and port-based traffic > selection. This configuration will generate SAs with the same Tunnel endpoints, in Tunnel or inTransport mode.... But it looks like there *are* some configurations where the problem occurs (see Patric's latest mail), so the question is now: "will the patch and the new test generate other problems in other situations" ? Yvan. |