Re: [Ipsec-tools-devel] Re: windows xp & road warrior, problemsafter win restart

[Juraj B. <jo...@gm...>]

Hello,

> Yes, please, I want to see your script and how it is hooked with racoon.
>=20
> Thanks in advance

it's hooked up byt=20

script "/path/to/script" phase1_up;

in the remote section.

The script does only

"ip route flush table cache"

nothing else.

However, yesterday I found out, that there's a situation with Windows
(it's a fairly complex
setup, since all packets travel to local network in IPSec tunnel mode
of Checkpoint and
inside of that is another transport mode with Windows native IPSec and
Racoon). If I restart
the connection and it gets the same address, the problem occurs again
(this time because
the windows client does not initiate new negotiation, just a new SA).=20

Here's patch to racoon, which is really a bastard one, but helps also
in this case. I had no
time to do this intelligently, but had to support the client, they
needed a working solution, so no place for philosophy.

Here's the patch (applies to src/racoon/pfkey.c):

--- pfkey.c.orig        2005-08-17 22:05:34.483973688 +0200
+++ pfkey.c     2005-08-17 21:14:34.753123480 +0200
@@ -1374,6 +1374,11 @@
                                ipsec_strerror());
                        return -1;
                }
+               /* JURAJ: HERE */
+               plog(LLV_DEBUG, LOCATION, NULL,
+                               "Flushing kernel's routing cache");
+               system("/sbin/ip route flush table cache");
+
 #else
                plog(LLV_DEBUG, LOCATION, NULL, "call
pfkey_send_add\n");

@@ -1397,6 +1402,11 @@
                }


+               /* JURAJ: HERE */
+               plog(LLV_DEBUG, LOCATION, NULL,
+                               "Flushing kernel's routing cache");
+               system("/sbin/ip route flush table cache");
+
 #endif /* ENABLE_NATT */

                if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])



   Juraj.