[Swan-commit] Changes to ref refs/heads/main

Andrew Cagney cagney at vault.libreswan.fi
Fri Jan 12 18:53:45 EET 2024

New commits:
commit eff956c18d79c9284c6f5a0d87899e8f56aef461
Author: Andrew Cagney <cagney at gnu.org>
Date:   Fri Jan 12 11:52:39 2024 -0500

    CHANGES: IKEv2: when non-MOBIKE never update NATed endpoint [#1492/Wofferl/Andrew]

commit 384c4667bc3760b2307964ffae7c163fe8e67a02
Author: Andrew Cagney <cagney at gnu.org>
Date:   Fri Jan 12 11:38:10 2024 -0500

    ikev2: disable non-MOBIKE NAT endpoint updates
    The idea is for an IKE SA that receives an authenticated packet
    from it's NATed peer, but with a new address, should update
    the peer's address as, presumably, NAT updated things.
    The feature was only haf implemented:
      - IKE SA's endpoint was updated
      - IPsec kernel state/policy endpoints was left unchanged
    The result was an IKE SA thinking all was good when no actual traffic could
      IKEv2 liveness does not work with IP change #1492
        where @wofferl explains the problem
      implement IKEv2's non-MOBIKE NAT port/address updates #1529

More information about the Swan-commit mailing list