Menu
▾
▴
Re: [Openvpn-users] Re: Answering on the same interface where the request came from
|
From: James Y. <ji...@yo...> - 2005-02-27 03:45:08
|
On Sun, 27 Feb 2005, Jamie Lokier wrote: > James Yonan wrote: > > So when the time comes to > > send packets to the client, if a local address has been associated with > > the client, it will be used as the source address on all outgoing packets. > > I presume the "last authenticated source address" is only used for > tunnel packets - and that the packets which are part of an attempted > authentication use the local address where the attempt is received instead? This is handled differently depending on mode. Because static key mode is stateless, the reply address is based on the last authenticated packet received and whether or not --float is used. In SSL/TLS mode, the initial P_CONTROL_HARD_RESET_CLIENT or P_CONTROL_HARD_RESET_SERVER message creates an untrusted client instance object and sets the reply address, which cannot change during the life of the session (if the client address changes, a new session must be negotiated). If --tls-auth is used, the reply address will not be learned from a packet unless it is verified by an HMAC integrity check. What this patch does is also learn the corresponding local IP address, any time a remote IP address is learned. James |
