[Swan-commit] Changes to ref refs/heads/main

Paul Wouters paul at vault.libreswan.fi
Wed Nov 25 18:26:10 UTC 2020


New commits:
commit a43c1a86ba13111587b6910bf3dc6ee9a4a25d61
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Nov 25 13:21:28 2020 -0500

    pluto: add auto=keep option and revival for instances (via co_serialno)
    
    Problem scenario: a peer behind NAT initiates to libreswan and brings up
    a tunnel. Once idle, the tunnels is torn down, but libreswan wants the
    tunnel to always be up. It cannot do a regular initiate of the connection
    because the peer is behind NAT so IKE traffic to port 500/4500 will fail.
    
    auto=keep will add POLICY_UP to the auto=add, so once the instance comes up
    and receives a delete, it will update its ike port to the last known port
    in use, and immediately re-initiate back before the NAT router closes the
    NAT mapping and the machine behind NAT becomes unreachable.
    
    If keyingtries=0, set it to 2 so in case the machine behind NAT is gone,
    the revival process ends and the instance connection is deleted.

commit d97f39ec673c1e4fc77ed2bcf30a79cca815137b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Nov 25 12:53:57 2020 -0500

    testing: added ikev2-revive-through-nat-02-cleanfail
    
    Test for a reviving instance with no hope to actually die

commit 480bc921b6b4e84e9838a1e6df5850dcfd3ef6db
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Nov 24 23:42:46 2020 -0500

    testing: add ikev2-revive-through-nat

commit 680ecc5b47019811656b5b3c23c4909e645d0840
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Nov 25 11:48:09 2020 -0500

    pluto: rename conn_by_name()'s strict argument into no_inst
    
    'strict' is really an awful name.



More information about the Swan-commit mailing list