[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 04 Apr 2024 10:39:17 -0400
From: Michael Richardson <mcr@...delman.ca>
To: Antony Antony <antony@...nome.org>
cc: antony.antony@...unet.com, Herbert Xu <herbert@...dor.apana.org.au>,
netdev@...r.kernel.org, David Ahern <dsahern@...nel.org>,
devel@...ux-ipsec.org, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
"David S. Miller" <davem@...emloft.net>
Subject: Re: [PATCH net 1/1] xfrm: fix source address in icmp error generation from IPsec gateway
Antony Antony <antony@...nome.org> wrote:
> Indeed, 10.1.3.2 does not match the policy. However, notice the "flag
> icmp" in the above line. That means the policy lookup will use the
> inner payload for policy lookup as specified in RFC 4301, Section 6,
> which will match. The inner payload 10.1.4.1 <=> 10.1.4.3 will match
> the policy.
How is "flag icmp" communicated via IKEv2?
Won't the other gateway just drop this packet?
Download attachment "signature.asc" of type "application/pgp-signature" (512 bytes)
Powered by blists - more mailing lists