Bug #207
ikev1, auto=route narrows subnet based TS to protocol port used
Start date:
26.07.2012
Due date:
Estimated time:
Affected version:
5.0.0
Resolution:
Description
When IKEv1, auto=route and /24 subnets in both sites, auto=route incorrectly narrows Traffic Selectors.
When traffic is initiated, IPsec SA is narrowed/negotiated only for the protocol/port used but not for subnets.
Example: using ssh from site1 to site2, TS is
172.16.60.10/32[tcp/ssh] === 172.16.50.10/32[tcp/49298]
Expected behaviour is that TS would be
172.16.60.0/24[any] === 172.16.50.0/24[any]
If auto=start is used, TS is as expected.
ecdsa-comment:
I think that bug was introduced in an attempt to
fix IKEv1 reauthentication (where we do want to reuse the smaller TS
in case of narrowing).
History
#1 Updated by Martin Willi about 13 years ago
- Status changed from New to Closed
- Assignee set to Martin Willi
- Target version set to 5.0.1
Ah yes, almost forgotten, thanks Kimmo.
The referenced patch should fix this issue.