Hello! > Now this could be dealt with in the firewall if it had information > about the security path. Unfortunately that does not seem to be the > case right now. It also imposes extra burden on the IKE daemon as it > needs to provide facilities for the appropriate firewalling to be > set up. This one is inacceptable. Extension of firewalling rules is good thing, but IKE must not depend on this. I understood the point. But I still cannot figure out how to solve this. What could you suggest? The first question, is it _really_ enough to block transformed packets unless they are explicitly prescribed in policy? Only tunnel mode ones? Alexey - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
