Re: [Ipsec-tools-devel] [ANNOUNCE] IPsec-tools 0.5 Beta1

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Oliver Jehle wrote:
> On Mon, 2004-12-13 at 18:26, Michal Ludvig wrote:
> 
>>        o Fixed FWD policy support.
> 
> 
> What this mean ?

Oliver,

	Linux kernel implements IPSec not directly but via XFRM API, which has 
not only IN and OUT directions, but also FWD. Even more, FWD is checked 
instead of IN for forwarded packets! And kernels 2.6.9+ no longer allows 
packets through empty FWD policy list if other policies are set for 
packet. Therefore with older ipsec-tools it is not possible to have 
working setup with kernels 2.6.9+ because older versions did not know 
about FWD direction at all.

	This version maps IPSec semantics to kernel semantics in seting and 
deleting policies via setkey utility, via racoons generate_policy 
functionality (mapping in setkey is made default, but it can be switched 
off). In this version fwd policies still apears in setkey output when 
requested to dump policy list. I hope to fix this before beta2 is out.

-- 
Aidas Kasparas
IT administrator
GM Consult Group, UAB