[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Wed Jan 2 20:46:03 UTC 2019
New commits:
commit 7c34d6c4c4e7ffd79b70601d399ad497eb6c34a4
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 2 15:45:49 2019 -0500
documentation: update CHANGES
commit b3e3bea3161e230b222dd8a3807df40440642bbd
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 2 15:36:14 2019 -0500
pluto: Update the logic of NAT-T keepalives
The logic is based on the assumptions that:
1) Running get_sa_info() on IPsec SA's is (too) expensive to do every 20s
2) Looking up IKE SA's for IPsec SA's is expensive
So we do not know if an IPsec SA is idle for the keepalive check.
For IKEv2, don't bother with keepalives for IPsec SA, as every IPsec SA has
an IKEv2 IKE SA. Simply check the IKE SA and send keepalives there.
For IKEv1, IPsec SA's can have no IKE SA. So we cannot skip the keepalive
checks for the IPsec SA and only use the IKEv1 IKE SA. So since we are
sending the keepalives on the IPsec SA state, we might as well not bother
sending them for the IKEv1 IKE SA.
commit 92c9ebe54ec68d5417c162751bc720d7b36e3df0
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 2 15:35:28 2019 -0500
pluto: update st_last_liveness when sending any IKE packet
This allows for suppressing DPD probes and NAT-T keepalives
commit 2033b06f3957017e3254e2de44eaa027f46644ca
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 2 15:33:46 2019 -0500
IKEv2: initiate NAT-T keepalive checks when estblishing IKE SA
Before this, only when another IKEv1 connection would also trigger
NAT-T would IKEv2 connections also be considered on the next global
keepalive check.
commit 85395e91c3c03df83a3655a57ada7950ed1483cb
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 2 15:33:24 2019 -0500
documentation: fix nat_keepalive comment
More information about the Swan-commit
mailing list