From: Stephen J. Bevan (stephen_at_dino.dnsalias.com)
Date: Thu Dec 26 2002 - 01:36:13 CET
Ken Bantoft writes:
> So yes, Stephen, you're somewhat off the hook, since Andreas has merged
> your code into 0.9.17. Unfortunatly, there's now a conflict between the
> X.509 patch and NAT-T 0.4 patches, specifically in the pfkey area. Ugly.
Looking at _kb3 I think the problem is in the manual patching you had
to do in order to merge X.509 0.9.17 and NAT 0.4. The order of the
arrays klips/net/ipsec/pfkey_v2_parser.c:ext_processors and
lib/pfkey_v2_parse.c:ext_default_parsers must match the order of the
SADB_X definitions in lib/pfkeyv2.h. They are out of whack in _kb3.
In the SuperFreeS/WAN patch I created (<http://www.prevoy.com/resources.html>)
I put the selector stuff consistently after the NAT-T stuff since
that was the easiest change to make. When Andreas merged the
selectors into X.509 there is no NAT-T stuff so he just put it at the
end. When the NAT-T stuff is added then it either needs to go
consistently before or consistently after the selectors. In _kb3
SADB_X_EXT_PROTOCOL comes after the NAT-T stuff in lib/pfkeyv2.h but
in the arrays the protocol function is listed before the NAT-T functions.
This means that if you try and call the selector stuff you end up
calling a NAT-T function and vice versa, hence the EINVAL errors.
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Thu Dec 26 2002 - 05:21:13 CET