* Add support for ESP+NULL encryption for ipsec. Useful for traversing NAT where AH can't be used. * Fixes for ipsec in IPv6. * In ipsecctl(8), allow rule if there is at least one matching address family combination. * Added better support for IPv6 hostname/numeric representation in the ipsecctl(8) parser. * Make ipsecctl(8) handle multiple SAs with same src/dst but different port. * Add support in pf(4) to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. Allows policy-based filtering of encrypted and unencrypted ipsec traffic. * In ipsecctl(8), do not delete sections that might be shared with other connections. This workaround might leak isakmpd(8) entries, but is ok for now. * Make ipsecctl(8) handle rules with addresses from mismatched address families correctly. * Make ipsecctl(8) check both source and destination when grouping SAs. * Fix grouping for SAs in ipsecctl(8), now all combinations of SAs are possible, not only ESP+AH. * Make sure ipsecctl(8) does not count sa, ike and tcpmd5 rules twice. * Add support in ipsecctl(8) for aggressive mode. * Have bgpd(8) store copies of everything needed to remove SAs and flows later. Allows for migration from tcp md5sig to ipsec esp ike with just bgpctl reload on both sides and bgpctl neighbor $foo clear on one side.
On 5/24/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > yes it does..., im actually running 4.1 on one side. havent had a chance > to upgrade the other side yet. privately requested to upgrade by whom? is > this a known issue... maybe i should run through the change log once > again... > > On 5/24/07, Steven Surdock <[EMAIL PROTECTED]> wrote: > > > > Sounds a little like: > > http://marc.info/?l=openbsd-misc&m=117915053113185&w=2 > > > > I was privately requested to try an upgrade to 4.1-stable . I have not > > had the opportunity to do so and I seem to be having a little trouble > > building 4.1-stable at the moment... > > > > -Steve S.
