Re: Drop IPSec traffic that should be encapsulated but is not

On 1 September 2016 at 10:31, Vincent Gross wrote: > Our IPSec stack rejects UDP-encapsulated traffic using a non > encapsulating SA, but not the other way around. This diff adds > the missing check and the corresponding stat counter. > > Ok ? > Go for it. OK mikeb

Re: Drop IPSec traffic that should be encapsulated but is not

On Thu, Sep 01 2016 at 46:18, Vincent Gross wrote: > On Thu, 1 Sep 2016 18:02:14 +0200 > Claer wrote: > > > Hello, > > > > In some production systems, I'm still using an old patch to isakmpd for > > Nat-t. When negociating SAs with ASA peers and OpenBSD is nated, you

Re: Drop IPSec traffic that should be encapsulated but is not

On Thu, 1 Sep 2016 18:02:14 +0200 Claer wrote: > Hello, > > In some production systems, I'm still using an old patch to isakmpd > for Nat-t. > When negociating SAs with ASA peers and OpenBSD is nated, you have > issues during negociation. The following discutions explain

Re: Drop IPSec traffic that should be encapsulated but is not

Hello, In some production systems, I'm still using an old patch to isakmpd for Nat-t. When negociating SAs with ASA peers and OpenBSD is nated, you have issues during negociation. The following discutions explain the issue

Drop IPSec traffic that should be encapsulated but is not

Our IPSec stack rejects UDP-encapsulated traffic using a non encapsulating SA, but not the other way around. This diff adds the missing check and the corresponding stat counter. Ok ? Index: sys/netinet/ip_esp.h === RCS file: