Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy li

netdev

Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy li

To:	Patrick McHardy <kaber@xxxxxxxxx>
Subject:	Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward
From:	Aidas Kasparas <a.kasparas@xxxxxx>
Date:	Tue, 19 Oct 2004 18:57:19 +0300
Cc:	netdev@xxxxxxxxxxx, ipsec-tools-devel@xxxxxxxxxxxxxxxxxxxxx
In-reply-to:	<417534F1.1010401@trash.net>
References:	<4172943B.8050904@trash.net> <20041017212317.GA28615@gondor.apana.org.au> <4172F1AB.4020305@trash.net> <20041017231258.GA29294@gondor.apana.org.au> <4175334B.3000504@gmc.lt> <417534F1.1010401@trash.net>
Sender:	netdev-bounce@xxxxxxxxxxx
User-agent:	Mozilla Thunderbird 0.8 (X11/20040918)

Patrick McHardy wrote:

Aidas Kasparas wrote:

I'm sorry, what is wrong with racoon?

When generate_policy is set to on racoon doesn't generate forward
policies for tunnel mode SAs, so traffic forwarded from a tunnel
is not subject to policy checks.


Patrick,

        what _forward_ policies should racoon generate. And WHY?!

Could you please specify for the case when:
- remote host has address A.A.A.A
- security gateway have insecure adress B.B.B.B
- secured network is C.C.C.0/24, security gateway's address C.C.C.C

what policies in your oppinion has to be inserted into SPD for this setup by racoon?

        Thanks in advance.


I have a patch which fixes this, I will post it a couple of days.

Regards
Patrick


--
Aidas Kasparas
IT administrator
GM Consult Group, UAB

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, (continued) Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Patrick McHardy Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Herbert Xu Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Patrick McHardy [XFRM] Allow transport SAs even when there is no policy, Herbert Xu Re: [XFRM] Allow transport SAs even when there is no policy, Patrick McHardy Re: [XFRM] Allow transport SAs even when there is no policy, Herbert Xu Re: [XFRM] Allow transport SAs even when there is no policy, David S. Miller Re: [XFRM] Allow transport SAs even when there is no policy, David S. Miller Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Aidas Kasparas Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Patrick McHardy Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Aidas Kasparas <= Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Herbert Xu

Previous by Date:	Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Patrick McHardy
Next by Date:	Re: Network Driver and NFS Root, Bob Wirka
Previous by Thread:	Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Patrick McHardy
Next by Thread:	Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Herbert Xu
Indexes:	[Date] [Thread] [Top] [All Lists]