From: Matthew G. <mg...@sh...> - 2007-02-21 21:50:10
|
VANHULLEBUS Yvan wrote: > Hi all. > > Looks like getsainfo() is broken (again, I already worked on such a > problem when migrating to.... 0.6 or something like that) when having > host endpoints. > > If my sainfo specification looks like: > sainfo address 192.168.1.1 any address 192.168.2.0/24 any > > it won't be fond when trying to establish the tunnel (as initiator). > > I also tried with 192.168.1.1/32 with the same result. > But it matches fine if you use a subnet instead of address specifier in the sainfo section right? > Racoon debug says: > getsainfo params: loc='192.168.1.1/32', rmt='192.168.2.0/24', > peer='NULL', id=1 > [checking other sainfos] > evaluating sainfo: loc='192.168.1.1', rmt='192.168.2.0/24', peer='ANY', > id=1 > check and compare ids : id type mismatch IPv4_address != IPv4_subnet > > > My SPD entry does NOT have the /32 mask: > 192.168.1.1[any] 192.168.2.0/24[any] any > If I add the following ... spdadd 10.100.1.0/24 10.100.2.0/32 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/unique; spdadd 10.100.2.0 10.100.1.0/24 any -P in ipsec esp/tunnel/2.2.2.2-1.1.1.1/unique; ... it always looks like an address ... 10.100.2.0[any] 10.100.1.0/24[any] any in ipsec esp/tunnel/2.2.2.2-1.1.1.1/unique#16394 spid=10 seq=2 pid=1006 refcnt=1 10.100.1.0/24[any] 10.100.2.0[any] any out ipsec esp/tunnel/1.1.1.1-2.2.2.2/unique#16393 spid=9 seq=0 pid=1006 refcnt=1 ... regardless of the /32 being specified. If you do a setkey -DPv your will see there is always a prefixlen=32. Setkey just dumps the prefix on output when its address length. This is one of many things I don't care for in SPD. Since address extensions are specified as a socket address with a prefix length, there is no way to differentiate between an address and a subnet. We need to translate and match address to subnet types in racoon where appropriate. > > Guess this regression came with Matthew's patch I commited on > 2006-10-19, when the logic moved from memcmp (which probably worked as > size of the host's IP is used, so the memcmp does not check the > netmask part) to ipsecdoi_chkcmpids(). > Its failing because its comparing an address ID type to an subnet ID type. If this worked previously, then my patch is causing a regression because it corrected a latent bug. Ignoring the id type all together is not a good solution. I can take a closer look at it later this evening. -Matthew |