http://bugzilla.novell.com/show_bug.cgi?id=489597
User bili@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=489597#c2
Li Bin changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |UPSTREAM
--- Comment #2 from Li Bin 2009-04-23 22:48:39 MDT ---
Klaus,
I reviewed the source code, and found this is the information after isakmp
established.
The IKE implementations have incompatible versions. Likely the other
is IKEv1 and the other is IKEv2. They do not inter-operate unless the
IKEv2 implementation also implements IKEv1 (which is not always the case).
Now our VPN gateway should support the IKEv1 and IKEv2 at the same time, so it
prompt this information.
In the ipsec-tools-0.8-alpha20090126, the log was changed for anti-DoS. In the
src/racoon/isakmp_inf.c
/* If we receive a error notification we should delete the related
* phase1 / phase2 handle, and send an event to racoonctl.
* However, since phase1 error notifications are not encrypted and
* can not be authenticated, it would allow a DoS attack possibility
* to handle them.
* Phase2 error notifications should be encrypted, so we could handle
* those, but it needs implementing (the old code didn't implement
* that either).
* So we are good to just log the messages here.
*/
Now I'm not prepare to put the ipsec-tools-0.8 in 11.2 yet, maybe later after
0.8 become stable.
Thanks!
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.