[Swan-commit] Changes to ref refs/heads/master
Antony Antony
antony at vault.libreswan.fi
Thu May 10 23:10:26 UTC 2018
New commits:
commit 4ab2853a9e887cef89a71e3fc2de735121fa1b2e
Merge: 1e442f5 47abc56
Author: Antony Antony <antony at phenome.org>
Date: Fri May 11 01:08:28 2018 +0200
Merge branch 'ikev2-rekey'
IKE SA rekeying, RFC7296 1.3.2, initiator
IPsec SA rekeying, RFC7296 1.3.3, initiator
IKE reauth=no|yes RFC7296 2.8.3 keyword
commit 47abc56316177bd679417619fc5ee5c07645951c
Author: Antony Antony <antony at phenome.org>
Date: Fri May 11 01:05:25 2018 +0200
copyright: for rekey merge
commit c8d1f974225833bc843fe4c9aa619f88c537ae0f
Author: Antony Antony <antony at phenome.org>
Date: Tue Apr 24 18:50:29 2018 +0000
testing: ikev2 tests fixes due ike-rekey branch
- some tests are redundant because they default to rekey now
- other ones need change to description and comments reauth -> rekey
- lots of state number changes with pluto's support of rekey
commit 543fc17b3961af4c9709090bf864dc2e7b9df8f9
Author: Antony Antony <antony at phenome.org>
Date: Tue Dec 19 21:17:15 2017 +0100
testing: ikev2 rekey new tests
commit 96f7ce8b0c75f0007783f546968ca82755fe22dc
Author: Antony Antony <antony at phenome.org>
Date: Fri Apr 20 13:14:18 2018 +0200
ikev2: drop the duplicate response to CREATE_CHILD_SA request, initiator
crypto is busy processing the previous response, drop the new one.
commit b1db6fb611bf5a58f521ccd2163131626580cc83
Author: Antony Antony <antony at phenome.org>
Date: Tue Apr 10 17:03:55 2018 +0200
ikev2: drop/hadle retransmission CREATE_CHILD_SA requests on responder
commit 330e8e512c9960044aae7ddd3b805fe8ffee1132
Author: Antony Antony <antony at phenome.org>
Date: Wed Apr 4 18:01:05 2018 +0200
ikev2: log possible message id deadlock
If this get logged too often, due to lost Liveness/DPD, we need a better fix
to avoid messages id deadlock.
pluto is increase message id for every Liveness/DPD.
If a message/response is lost, the message should be retransmitted,
without increamenting message id.
This is possibly an invasive chage, pluto may need seperate buffers for tx and rx
message. Current design is one tpacket, which store request sent and
response sent.
commit 7556e54c657e8df531cb6e37213122ff8ec24b8a
Author: Antony Antony <antony at phenome.org>
Date: Tue Mar 20 19:29:18 2018 +0100
ikev2: initiate rekey, IKE SA and IPsec SA
add RFC7296 1.3.2 initiator support
add RFC7296 1.3.3 initiator support
reauth=no|yes RFC7296 2.8.3 (initiate IKE SA reauthentication)
commit a14d8cf3cbfff30101c2f6d01d2174487ce48d1a
Author: Antony Antony <antony at phenome.org>
Date: Sat Mar 24 19:24:37 2018 +0100
ikev2: flush incomplete IKE rekey initiator state.
It has different cookies than the parent, reset past and give new start.
commit 0dd4d7ffe7a47b72981808b164bc85633277c561
Author: Antony Antony <antony at phenome.org>
Date: Tue Dec 19 18:32:51 2017 +0100
ikev2: get around null policy replacing
commit 5ef971bb85bc33e9ef064a7390de201224736f21
Author: Antony Antony <antony at phenome.org>
Date: Mon Dec 18 22:47:10 2017 +0100
ikev2: change the workaround 1b9125b35b8 to allow CREATE_CHILD_SA
This commit's side effect is, it will catch any replacing IKEv2 IPsec SA
and initiate new IKE. Which do not go well with CREATE_CHILD_SA IPsec rekey
or IPsec SA sharing IKE SA
I think CREATE_CHILD_SA support already fixed what 1b9125b35b8 fixed.
commit 033479c2ab1f3bdfa054a53896f7e242a2ec1144
Author: Antony Antony <antony at phenome.org>
Date: Mon Dec 18 10:47:24 2017 +0100
ikev2: extra check for responsess
commit 2c5c790a95a85678578e497ca1672598ce2011c5
Author: Antony Antony <antony at phenome.org>
Date: Fri Apr 20 14:43:59 2018 +0200
ikev2: refactor v2N_CP and TS response processing
commit 161be58ed5c6a6c3ae47e0f6b06fcf755df81627
Author: Antony Antony <antony at phenome.org>
Date: Mon Dec 18 18:07:36 2017 +0100
ikev2: pick viable parent to initiate CREATE_CHILD_SA
Before starting new CREATE_CHILD_SA check viability of the parent.
Once the parent is about to expire, being renewed do not start new
CREATE_CHILD_SA exchange.
rekeymargin=0s is a corner case. You will need at lease 2s
may be enforce it in add_conn?
More information about the Swan-commit
mailing list