CVSROOT: /cvs Module name: src Changes by: bl...@cvs.openbsd.org 2009/01/27 15:40:10
Modified files: sys/netinet : ip_spd.c Log message: In IPsec acquire mode, if the flow was configured for the "any" network 0.0.0.0/0 or ::/0, the SA was established for the IP address in the packet instead of the network in the flow. That means the SA was not negotiated for the network 0.0.0.0 with mask 0 but for the remote IP with mask 255.255.255.255. This SA did not match the flow and did not work. To differentiate between general flows that are used to trigger specific host-to-host SAs and flows for matching network SAs, the if condition only uses the ipo->ipo_dst field now. For a flow without peer, an SA must be negotiated for each host-to-host combination. Otherwise, if a peer exists at the flow, the kernel acquires one SA for the whole network. tested by todd@, ok hshoexer@, angelos@, todd@