[Swan-dev] More confusion of options to clean up regarding phase1 and phase2 options

Paul Wouters paul at nohats.ca
Tue Apr 22 04:46:04 EEST 2014 

On Sun, 20 Apr 2014, D. Hugh Redelmeier wrote:

> I'll say it again, perhaps more clearly:
>
> I'm willing to work on the parsing, but I'd like clear and accurate
> explanation of what we (think) the syntax is now.  I don't really want
> to have to infer it from the code.
>
> It would be great to know what people actually use (i.e. what not to
> break).  Oh, and what has been documented.
>
> That's the starting point.
>
> The next step would be a proposed rational design.

I have started to add legitimate cases into testing/lib/libpluto/algparse.c
including ones that should get rejected (marked as such)

This should be extended to cover more.

> All that is useful, but since I don't know what exists, I don't really
> understand what that list means.

> Let me emphasize: talking about it is important, especially for
> user-visible changes.  And accurate documentation needs to be a higher
> priority.

Agreed. the man pages _must_ match the implementation, always.

> The serious mess of natt-related options ought to be cleaned up too.
> Now, while I remember how the option handling works.  But first, I
> would like to clearly know which options are actually important and
> used.

All of them? I'm not sure which you are referring to. The NAT options
were mostly added for people to work around some kind of deployment
issue.

ikev1_natt - work around bugs in RFC NATT implementation in certain Cisco firmware
nat_keepalive - people on bad links like to disable this (arguably unwise)
                 (bool, suggested to turn into a time field - see below)
force_keepalive - obsoleted already
nat_traversal - obsoleted already
disable_port_floating - obsoleted already
nat_ikeport - work around UDP 4500 blocks
keep_alive - should become per-connection (talk of merging with nat_keepalive)
virtual_private - required by everyone


> I'm still wondering about nat- vis natt-.

In the above the only "natt-" one is ikev1_natt. It specifically refers
to which nat-traversal payloads to send. The rest deals with nat, so
relates to natt. I'm okay with renaming it, although it makes sense as
it. (to me, but I also made the keyword up in the first place)

Paul

More information about the Swan-dev mailing list