IPsec from native KAME in 2.6 kernel to FreeS/WAN on 2.4

To: debian-security@lists.debian.org
Subject: IPsec from native KAME in 2.6 kernel to FreeS/WAN on 2.4
From: Igor Goldenberg <igold@igold.pp.ru>
Date: Wed, 27 Jul 2005 15:55:15 +0600
Message-id: <[🔎] 42E75A03.7030805@igold.pp.ru>

Hello.

I have the central security gateway ("server") with FreeS/WAN v2.06 and
a number of client security gateways with the same FreeS/WAN on its.
Between the server and client gateways exists more then one tunnel
having the same endpoints. For example, for scheme

net1/24 == gw1 ... gw2 == (serv1 & serv2)

I've 2 tunnels: net1/24 <-> serv1 and net1/24 <-> serv2, both having the
same endpoints: gw1 and gw2.

When FreeS/WAN start these connections it create a "IPsec SA" *for*
*each* and work then with its. I think it's implementation feature.

But native 2.6 IPsec use one common "IPsec SA" for each tunnel sharing
common endpoint IPs and policies. And when I use on client gateway linux
2.6 with КАМЕ, only first IPsec connection work as expected. Racoon and
Pluto setup "IPsec SA" for this tunnel. But when some trafic from
net1/24 want to go to serv2, kernel on client gateway try to use
existing SA but FreeS/WAN don't have "IPsec SA" established for *this*
connection and trafic can't go.

Is it possible to inform FreeS/WAN use existing "IPsec SA" for others
connection through the same gateway? Or there are other soulutions exist?

-- 
 Igor.

Reply to:

Prev by Date: Security fixes for mozilla and firefox in Sarge?
Next by Date: Re: [SECURITY] [DSA 765-1] New heimdal packages fix arbitrary code execution
Previous by thread: Re: mozilla-firefox 1.0.4-2 security holes (was Re: Security fixes for mozilla and firefox in Sarge?)
Next by thread: Philippe CAILLEAUD/SIEGE/MAIF est absent.
Index(es):
- Date
- Thread