[Swan-commit] Changes to ref refs/heads/main
Andrew Cagney
cagney at vault.libreswan.fi
Fri Jan 12 18:53:45 EET 2024
New commits:
commit eff956c18d79c9284c6f5a0d87899e8f56aef461
Author: Andrew Cagney <cagney at gnu.org>
Date: Fri Jan 12 11:52:39 2024 -0500
CHANGES: IKEv2: when non-MOBIKE never update NATed endpoint [#1492/Wofferl/Andrew]
commit 384c4667bc3760b2307964ffae7c163fe8e67a02
Author: Andrew Cagney <cagney at gnu.org>
Date: Fri Jan 12 11:38:10 2024 -0500
ikev2: disable non-MOBIKE NAT endpoint updates
The idea is for an IKE SA that receives an authenticated packet
from it's NATed peer, but with a new address, should update
the peer's address as, presumably, NAT updated things.
The feature was only haf implemented:
- IKE SA's endpoint was updated
- IPsec kernel state/policy endpoints was left unchanged
The result was an IKE SA thinking all was good when no actual traffic could
flow.
see:
IKEv2 liveness does not work with IP change #1492
where @wofferl explains the problem
implement IKEv2's non-MOBIKE NAT port/address updates #1529
More information about the Swan-commit
mailing list