[Ipsec-tools-devel] subnetted IDcr

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

2409 does not specify when you can use subnets in IDcX. This has
resulted in a conflict between Windows and racoon

If I define a rule like this

spdadd <your subnet>[21] <yoursubnet> tcp  -P in ipsec
esp/transport//require

then racoon send an IDcr of type subnet in the QM exchange. Windows does
not like this; (stepping through the code you can see that the first
check it makes is that its not v4 or v6 subnet)

It rejects the request.

There is also another failure associated with this. When Windows is the
initiator then racoon checks that the IDcr it gets matches what it
expects, in this case it still checks against a subnet but Windows sent
a concrete address

This is easy to fix in racoon but I copied it to the ipsec group too
because the protocol does not really say what IDcX should contain. And I
wanted to get consensus about the correct behavior

Note that solaris send concrete adresses