From: Stephen J. Bevan (stephen_at_dino.dnsalias.com)
Date: Tue Oct 29 2002 - 22:00:52 CET
George Hadjichristofi writes:
> I want to use the Options field in the IP header of a packet. However, I
> am wondering whether an IPSec tunnel will "hide" the options field. Is the
> inner IP header's options field copied to the outer's in the current
> implementation of freeswan ipsec?
The following is from near the start of
klips/net/ipsec/ipsec_tunnel.c:ipsec_tunnel_start_xmit
if ((iph->ihl << 2) != sizeof (struct iphdr)) {
KLIPS_PRINT(debug_tunnel,
"klips_debug:ipsec_tunnel_start_xmit: "
"cannot process IP header options yet. May be mal-formed packet.\n"); /* XXX */
stats->tx_dropped++;
goto cleanup;
}
As you can see, any outbound packet with IP options is dropped.
> If not, will it be complicated to implement that?
At a minimum you'd need remove the above check and modify other parts
of ipsec_tunnel_start_xmit to allocate enough space for the IP header
and options (i.e. not just sizeof(struct iphdr) as is there now) and
copy over the options when the new header is created rather than just
filling in selected fields as is done now. That's a pretty small
change. I have no idea if that is all that is required.
> Also, can the options field be added/modified on the outer IP header of
> a packet after it enters the IPSec tunnel?
Assuming you make the above changes so that IP options are allowed at
all, then you are free to alter/modify the options as you see fit.
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Sat Nov 16 2002 - 05:20:41 CET