Re: [Ipsec-tools-devel] [ANNOUNCE] IPsec-tools 0.5 Beta1
Brought to you by:
mit_warlord,
netbsd
From: Aidas K. <a.k...@gm...> - 2004-12-14 07:20:53
|
Oliver Jehle wrote: > On Mon, 2004-12-13 at 18:26, Michal Ludvig wrote: > >> o Fixed FWD policy support. > > > What this mean ? Oliver, Linux kernel implements IPSec not directly but via XFRM API, which has not only IN and OUT directions, but also FWD. Even more, FWD is checked instead of IN for forwarded packets! And kernels 2.6.9+ no longer allows packets through empty FWD policy list if other policies are set for packet. Therefore with older ipsec-tools it is not possible to have working setup with kernels 2.6.9+ because older versions did not know about FWD direction at all. This version maps IPSec semantics to kernel semantics in seting and deleting policies via setkey utility, via racoons generate_policy functionality (mapping in setkey is made default, but it can be switched off). In this version fwd policies still apears in setkey output when requested to dump policy list. I hope to fix this before beta2 is out. -- Aidas Kasparas IT administrator GM Consult Group, UAB |