On Tue, Oct 14, 2003 at 02:53:13PM +0400, kuznet@ms2.inr.ac.ru wrote: > > > IPIP still didn't work after my last fix. It turns out that the security > > path is not cleared for packets inside the tunnel. This breaks when the > > SA selectors on the outside of the tunnel only allow packets with the > > same source/destination address. > > ... which actually most likely means that the check is wrong. > Is it due to the fact that you used tunnel addresses from SA to restore > addresses to apply selector and that this information is not available > for plain tunnel? Well I could be wrong. The scenario is as follows: A <--------------> B ESP(transport) The SA selector is set to only allow src == A and dst == B. To allow it to carry IPIP packets with the current setup, I would have to set src == any and dst == any. > > This patch clears the security path for all tunnel packets. > > Think more, please. I do not believe clearing the path is a good idea. > It is too easy to be right. :-) Can you tell me why you think it is a bad idea? To me IPIP/GRE tunnels should be a barrier for IPSEC transforms: You should not be able to see the transforms on either side of the tunnel. -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
