[Swan-dev] shared IKE SA interop bug with cisco

[Paul Wouters]

On Mon, 8 Dec 2014, Matt Rogers wrote:

>> can you commit test as a wip? I am curious to see what is going on. I need the same for IKEv2 and CREATE_CHILD_SA.

>
> Take a look at the conn_shared_ike branch that I pushed, it has a test and

I pushed the test case (not the code) into master.

> continuation of the patch. I was focusing on the IKEv1 side of this so there
> may be some implications for IKEv2 that I was not aware of, so it will need some
> more review and testing.
>
>> Have you tried A and B with different authby or with xauth? say one with rsa and the other psk?
>
> This kind of setup doesn't seem to work initially, with IKEv1 at least. The reason being
> that on the responder, the last connection added to the host pair will end up
> answering the initiation, so if that is TUNNEL-C, it will accept the one auth method
> that TUNNEL-C is configured for.

This is similar to the connection switching bug triggered by:

conn base
 	left=1.2.3.4
 	right=5.6.7.8
 	authby=secret

conn port555
 	also=base
 	leftprotoport=tcp/555
 	rightprotoport=tcp/555
 	esp=aes128-sha1

conn otherports
 	also=base
 	esp=aes256-sha1

This will also share the IKE SA, but then run into problems. I added
ikev1-connswitch-ports-01 as a test case for this (using netkey)

A simiar test with ike= is even more confusing, because sharing the IKE
means contradicting the configuration, but I'm willing to write that
down as "operator error".

Paul