netdev
[Top] [All Lists]

Re: automatic keying works! Re: off by one error in 3des cbc keying

To: kuznet@xxxxxxxxxxxxx
Subject: Re: automatic keying works! Re: off by one error in 3des cbc keying
From: bert hubert <ahu@xxxxxxx>
Date: Wed, 13 Nov 2002 23:03:11 +0100
Cc: davem@xxxxxxxxxx, gem@xxxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: <200211132046.XAA12943@xxxxxxxxxxxxx>
Mail-followup-to: bert hubert <ahu@xxxxxxx>, kuznet@xxxxxxxxxxxxx, davem@xxxxxxxxxx, gem@xxxxxxxxxxx, netdev@xxxxxxxxxxx
References: <20021113085517.GA9134@xxxxxxxxxxxxxxx> <200211132046.XAA12943@xxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.3.28i
On Wed, Nov 13, 2002 at 11:46:40PM +0300, kuznet@xxxxxxxxxxxxx wrote:

> We traced all this today. It was not true reason of bad behaviour,
> real mistake was in absolutely different place. The patch (not incremental
> wrt patch of yesterday, so backout that one).

Done. http://ds9a.nl/ipsec now contains patches:

[TXT] 01-bypass-connect.diff        11-Nov-2002 08:59    16k  
[TXT] 02-udp-bypass.diff            12-Nov-2002 15:14     2k  
[TXT] 03-interop-breaks-compat.diff 13-Nov-2002 08:25     3k  
[TXT] 04-larval-2.diff              13-Nov-2002 21:53     5k  

When applied together, it now *really* works as intended :-)

> No, really. The trace showed another problem: one of them looks like
> a bug in racoon namely, after SA internal to IKE expires racoon
> does not initiate new connection to peer when some real kernel

I now see a proper soft expire, new SAs being setup, old SAs in state 'dying',
and traffic flowing nicely. Even with soft expire and no traffic, I see a
new SA being negotiated.

Until the old SAs die, I see linux sending with the old SPI, is that right?

Regards,

bert

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO


<Prev in Thread] Current Thread [Next in Thread>