[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Mon Jan 13 03:25:35 UTC 2020

New commits:
commit cd993436a1c8ba51bf5078c7ae21fdd8626e526b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 12 22:14:43 2020 -0500

    pluto: IKEv2: allow CP payload in IPsec CREATE_CHILD_SA as per RFC 7296 Appendix C.4
    We won't be processing it though, which is allowed per RFC. As IPsec
    SA's cannot really change their Traffic Selectors, we know what TSi/TSr
    to expect irrespective of the CP payload.
    In theory, the remote could suggest the narrowed down (addresspool IP) as TSi/TSr,
    or it can use and get narrowed down again. In theory, the lease on this
    IP could have expired and a new one could be given, in which case such a client
    MUST still send the old addresspool IP it got in its TSi/TSr _and_ the newly given
    IP is given out as well by the responder (narrowed down from a proposal.
    But as stated, libreswan does not do any of this, as its IP lease can never expire
    if the client is still connected and using it, since libreswan uses its own pool
    and does not currently pull DHCP leases from elsewhere.
    This fixes an interop issue at rekey time with Mikrotik routers that do send the CP
    payload on child rekey requests.

commit e8f30f67d9be751caf21578583ef22e106b05a41
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 12 21:46:05 2020 -0500

    testing: fixup nss-cert-chain-04-ikev2
    use require-id-on-certificate=no for our made up IKE ID's
    Also in final.sh actually check if we properly switched connections,
    which is what this test is all about.

More information about the Swan-commit mailing list