From: VANHULLEBUS Y. <va...@fr...> - 2007-04-06 07:42:10
|
On Thu, Apr 05, 2007 at 11:54:20PM -0500, Matthew Grooms wrote: > All, Hi Matthew. > Here is an updated version of the client address check option that > I proposed some months ago. The idea is to prevent invalid policies from > being generated when racoon is acting as a client gateway. Since a valid > sainfo section needs to be matched before an SA will be negotiated, the > new option can be used like so ... > > sainfo subnet x.x.x.x/y any clientaddr { ... } > > ... which only allows a match if the remote id is equal to the assigned > modecfg address. If a modecfg address is not assigned, the match is > performed against the peer address as a fallback. > > Yvan will probably want to look this one over carefully. Yep. I think it's too late to integrate such change for 0.7 branch, so, if it's ok for you, let's first releast 0.6.7, 0.7.0, then I'll have a deeper look at your patch. Yvan. |