[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Mon Jan 13 03:25:35 UTC 2020
New commits:
commit cd993436a1c8ba51bf5078c7ae21fdd8626e526b
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 12 22:14:43 2020 -0500
pluto: IKEv2: allow CP payload in IPsec CREATE_CHILD_SA as per RFC 7296 Appendix C.4
We won't be processing it though, which is allowed per RFC. As IPsec
SA's cannot really change their Traffic Selectors, we know what TSi/TSr
to expect irrespective of the CP payload.
In theory, the remote could suggest the narrowed down (addresspool IP) as TSi/TSr,
or it can use 0.0.0.0/0 and get narrowed down again. In theory, the lease on this
IP could have expired and a new one could be given, in which case such a client
MUST still send the old addresspool IP it got in its TSi/TSr _and_ the newly given
IP is given out as well by the responder (narrowed down from a 0.0.0.0/0 proposal.
But as stated, libreswan does not do any of this, as its IP lease can never expire
if the client is still connected and using it, since libreswan uses its own pool
and does not currently pull DHCP leases from elsewhere.
This fixes an interop issue at rekey time with Mikrotik routers that do send the CP
payload on child rekey requests.
commit e8f30f67d9be751caf21578583ef22e106b05a41
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jan 12 21:46:05 2020 -0500
testing: fixup nss-cert-chain-04-ikev2
use require-id-on-certificate=no for our made up IKE ID's
Also in final.sh actually check if we properly switched connections,
which is what this test is all about.
More information about the Swan-commit
mailing list