[Swan-commit] Changes to ref refs/heads/main
cagney at vault.libreswan.fi
Tue Oct 25 17:20:11 EEST 2022
Author: Andrew Cagney <cagney at gnu.org>
Date: Tue Oct 25 10:15:49 2022 -0400
ikev2: enforce modecfg.server requiring a CP request
When is CP allowed?
A request for such a temporary address can be included in
any request to create a Child SA (including the implicit
request in message 3) by including a CP payload.
When is CP required?
In the case where the IRAS's [IPsec Remote Access Server]
configuration requires that CP be used for a given
identity IDi, but IRAC has failed to send a
CP(CFG_REQUEST), IRAS MUST fail the request, and
terminate the Child SA creation with a FAILED_CP_REQUIRED
expect OE carnage #896 #897
More information about the Swan-commit