From: VANHULLEBUS Y. <va...@fr...> - 2008-11-03 13:51:54
|
On Sun, Nov 02, 2008 at 01:06:38AM +0100, Frank Kardel wrote: > Hi, > > when changing key_cmpsaidx_exactly to key_cmpsaidx_withmode in > netkey/key.c:key_getsah() > negotiations work again. This change is inspired by the code found in > netipsec/key.c where > key_getsah(). > > Caution: I have not deeply looked into the issue - thus this change be > be completely wrong, but it gives > probably a hint at whats wrong. > My rules refer to any protocol - so exact comparisons for specific > protocols probably don't match > in the key_cmpsaidx_exactly function. Yes, the problem is directly linked to the way ports are handled, and they are somme isssues withe the actual way it's done. Doing this change is probably not the good solution (you may get some unwanted SAs, and I should have a look at the code to ensore you won't also have some situations where you'll miss the right SA), and cheanup of the whole stuff is in progress... Yvan. |