On Thu, 2005-15-12 at 21:28 +0100, Krzysztof Oledzki wrote:
>
> On Thu, 15 Dec 2005, jamal wrote:
> > It will help 100% of the time _if you know_ you have CISCOs on the other
> > end and you configure racoon with that in mind. In other words it doesnt
> > matter who the initiator/responder is in this case.
> It does matter. This problem does not exist when cisco acts as responder,
> this problem does not exist when linksys acts as initiator.
>
>
> > Do you disagree with this?
> Yes ;)
>
> > Other people who have tried the patch dont seem to agree with your
> > thesis.
>
> Not sure:
>
Well, you are definetely quoting the wrong guy below;-> The two people
who tested with CISCO, I know for sure one had CISCO as responder. So
maybe thats why it worked?
The problem of [EMAIL PROTECTED] you quote below is the case where
racoon doesnt honor the deletes that i was refering to earlier.
Well, keep reading on his problem and it falls under case 2. The case
where the device he has sends deletes that racoon ignores.
CISCO simply doesnt ;-> You should probably have kept following his
complaints in other emails or ask him ;->
> > OK, let me ask you this: When you configure "use new SA" - are you
> > making assumption about what is on the other end? in other words, you
> > have knowledge of the end device to assume it will start accepting the
> > new SA immediately.
> Sometime yes, sometime no. Generally: no.
>
If you had no worries, then everything you dont need to worry about this
paranoid mode ;-> You have to know device on the remote end insists on
using new SA for you to even turn this on.
> > In any case - what we need to do is fix this issue and not argue
> > semantics of the RFC. IMO, its a screw up in the RFC definition.
>
> True. I can accept any fix, as long as it is going to _solve_ the problem.
> For me both kernel or racoon fixes are totally fine. But please notice
> that dirty workarounds are not going to fix this and I alredy have one
> ("echo -ne -1 > /proc/sys/net/ipv4/route/flush" after negotiating each new
> SA). It works and it is ugly. Very ugly. ;)
>
It is disgusting ;->
Refer to Herberts solution and see if that "solves the problem".
If not, say why.
cheers,
jamal
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
