CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2009/01/27 15:40:10
Modified files:
sys/netinet : ip_spd.c
Log message:
In IPsec acquire mode, if the flow was configured for the "any"
network 0.0.0.0/0 or ::/0, the SA was established for the IP address
in the packet instead of the network in the flow. That means the
SA was not negotiated for the network 0.0.0.0 with mask 0 but for
the remote IP with mask 255.255.255.255. This SA did not match the
flow and did not work.
To differentiate between general flows that are used to trigger
specific host-to-host SAs and flows for matching network SAs, the
if condition only uses the ipo->ipo_dst field now. For a flow
without peer, an SA must be negotiated for each host-to-host
combination. Otherwise, if a peer exists at the flow, the kernel
acquires one SA for the whole network.
tested by todd@, ok hshoexer@, angelos@, todd@
