Menu
▾
▴
Re: [Ipsec-tools-devel] client address check option [patch]
|
From: VANHULLEBUS Y. <va...@fr...> - 2007-04-06 07:42:10
|
On Thu, Apr 05, 2007 at 11:54:20PM -0500, Matthew Grooms wrote:
> All,
Hi Matthew.
> Here is an updated version of the client address check option that
> I proposed some months ago. The idea is to prevent invalid policies from
> being generated when racoon is acting as a client gateway. Since a valid
> sainfo section needs to be matched before an SA will be negotiated, the
> new option can be used like so ...
>
> sainfo subnet x.x.x.x/y any clientaddr { ... }
>
> ... which only allows a match if the remote id is equal to the assigned
> modecfg address. If a modecfg address is not assigned, the match is
> performed against the peer address as a fallback.
>
> Yvan will probably want to look this one over carefully.
Yep.
I think it's too late to integrate such change for 0.7 branch, so, if
it's ok for you, let's first releast 0.6.7, 0.7.0, then I'll have a
deeper look at your patch.
Yvan.
|