Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Sep 2012 14:19:27 +0200
From:      VANHULLEBUS Yvan <vanhu@FreeBSD.org>
To:        Andreas Longwitz <longwitz@incore.de>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Support for IPSec VPN's: some patches for netipsec/key.c
Message-ID:  <20120912121927.GA3968@zeninc.net>
In-Reply-To: <50474D5C.4020003@incore.de>
References:  <50474D5C.4020003@incore.de>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi.

On Wed, Sep 05, 2012 at 03:02:20PM +0200, Andreas Longwitz wrote:
[...]
> The last patch makes it possible for a transport mode client to open a
> new connection to the server immediately after closing an old
> connection. Without this patch the client must wait for the routers to
> forget all there NAT entries.
> 
> @@ -4065,10 +4084,12 @@
>           /*
>            * If NAT-T is enabled, check ports for tunnel mode.
>            * Do not check ports if they are set to zero in the SPD.
> -          * Also do not do it for transport mode, as there is no
> +          * Also do not do it for native transport mode, as there is no
>            * port information available in the SP.
>            */
> -         if (saidx1->mode == IPSEC_MODE_TUNNEL &&
> +         if ((saidx1->mode == IPSEC_MODE_TUNNEL ||
> +             (saidx1->mode == IPSEC_MODE_TRANSPORT &&
> +             saidx1->proto == IPPROTO_ESP)) &&
>               saidx1->src.sa.sa_family == AF_INET &&
>               saidx1->dst.sa.sa_family == AF_INET &&
>               ((const struct sockaddr_in *)(&saidx1->src))->sin_port &&

Sorry for the delay, I just commited it on HEAD.


Thanks for the patch, I'll try to take time to have a look at your
other patches/issues ASAP, feel free to send updated versions, mail
me, etc....


Yvan.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120912121927.GA3968>