-----BEGIN PGP SIGNED MESSAGE-----
When FreeSWAN is configured to do Opportunistic Encryption, it arranges for
all outgoing packets to travel through ipsec0. If the destination is not OE
capable, the packet goes out in the clear on ppp0/eth0.
When OE is configured on a box that also does NAT (IP masquerading) we run
into a problem. One can talk to any box that has OE enabled.
This is because the NAT code seems to believe it proper for packets to
arrive on the same interface that they went out. This just doesn't happen
when there is IPsec OE (as it exists now) and often won't happen at all when
there are multiple internet connections.
Jamal Hadi diagnosed this as the problem in the bar at IETF, but wasn't
sure what piece of code we could hack. He seemed to think that this code has
been changed in 2.5. If someone could point at the change, I would appreciate
it, as we have many people who want to do precisely this: NAT followed by OE.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPL3c9oqHRg3pndX9AQEPwgQAp2jfyRuBdu9QxIzo9CcrjHmcmsipCR9v
wb1fsI1WD8BYe9n3bMMnSbqvS13XuEvBOh3sWjx/cW1SqcPDJY+kxD/hS5UbvaHv
n2ioN4G33txAJuUFLI12OIohwiHZD0HYKBikFCkUBxoDiwIYjFZEvOLvkUAu/Gc1
DtwskGpERfM=
=KAHF
-----END PGP SIGNATURE-----
|