From: VANHULLEBUS Y. <va...@fr...> - 2008-04-09 12:53:21
|
On Thu, Apr 03, 2008 at 03:32:42PM +0300, Timo Ter?s wrote: > VANHULLEBUS Yvan wrote: [.....] > > Some NAT-T issues are already well known with ipsec-tools, mainly > > because Linux and Free/NetBSD don't have exactly the same way of > > handling port numbers. > > Is there a list somewhere? I'd be happy to check these in Linux. Since > I'm likely to bump into them sooner or later. Actually, you'll find informations about that issue mainly in ipsec-tools-devel's archives, and a few other ones "elsewhere" (a bit in freebsd-net, but most discussions there have been done in private mails, nad probably in some other places). I started to collect and synthetize all informations in one single place, which will be public "soon". [...] > > Before reporting such patch, we'll have to ensure it doesn't break > > other things (on Linux or on Free/NetBSD), I'll try to do such tests > > ASAP (but I know it takes some time to do that), and if other people > > can do some tests and report on the list the exact setup they tested > > (OS/kernel version used, ipsec-tools version, what is the peer), if > > NAT-T still works and if DELETE-SAs are correctly send/received, it > > would be great ! > > Of course. I figured BSD would do it differently, so that why I'm not > sure if the ports should be overwritten always or the way the attached > patch does it. > > For my part, I can report that the patch fixes things for me: I'm > running Linux 2.6.23 kernel and ipsec-tools CVS HEAD on both ends. Some patches can be reported without problems, if and only if they are done "the right way". Your ipsec-sa-compare-fix.diff patch seems to be done that way (it does things by extracting SADB_X_EXT_NAT_T_[S|D]PORT if they are present, and doesn't change anything if they are not present), and will probably be reported "ASAP". Yvan. |