 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev- | Prev- | Debian- | Jul- | Next- | Next- |
| Subject: | IPsec from native KAME in 2.6 kernel to FreeS/WAN on 2.4 |
| Group: | Debian-security |
| From: | Igor Goldenberg |
| Date: | 27 Jul 2005 |
I have the central security gateway ("server") with FreeS/WAN v2.06 and
a number of client security gateways with the same FreeS/WAN on its.
Between the server and client gateways exists more then one tunnel
having the same endpoints. For example, for scheme
net1/24 == gw1 ... gw2 == (serv1 & serv2)
I've 2 tunnels: net1/24 <-> serv1 and net1/24 <-> serv2, both having the
same endpoints: gw1 and gw2.
When FreeS/WAN start these connections it create a "IPsec SA" *for*
*each* and work then with its. I think it's implementation feature.
But native 2.6 IPsec use one common "IPsec SA" for each tunnel sharing
common endpoint IPs and policies. And when I use on client gateway linux
2.6 with ëáíå, only first IPsec connection work as expected. Racoon and
Pluto setup "IPsec SA" for this tunnel. But when some trafic from
net1/24 want to go to serv2, kernel on client gateway try to use
existing SA but FreeS/WAN don't have "IPsec SA" established for *this*
connection and trafic can't go.
Is it possible to inform FreeS/WAN use existing "IPsec SA" for others
connection through the same gateway? Or there are other soulutions exist?
--
Igor.
--
To UNSUBSCRIBE, email to debian-security-REQUEST
with a subject of "unsubscribe". Trouble? Contact listmaster
| Prev- | Prev- | Debian- | Jul- | Next- | Next- |