[Swan-dev] shared IKE SA interop bug with cisco
Paul Wouters
paul at nohats.ca
Tue Dec 9 20:49:37 EET 2014
On Mon, 8 Dec 2014, Matt Rogers wrote:
>> can you commit test as a wip? I am curious to see what is going on. I need the same for IKEv2 and CREATE_CHILD_SA.
>
> Take a look at the conn_shared_ike branch that I pushed, it has a test and
I pushed the test case (not the code) into master.
> continuation of the patch. I was focusing on the IKEv1 side of this so there
> may be some implications for IKEv2 that I was not aware of, so it will need some
> more review and testing.
>
>> Have you tried A and B with different authby or with xauth? say one with rsa and the other psk?
>
> This kind of setup doesn't seem to work initially, with IKEv1 at least. The reason being
> that on the responder, the last connection added to the host pair will end up
> answering the initiation, so if that is TUNNEL-C, it will accept the one auth method
> that TUNNEL-C is configured for.
This is similar to the connection switching bug triggered by:
conn base
left=1.2.3.4
right=5.6.7.8
authby=secret
conn port555
also=base
leftprotoport=tcp/555
rightprotoport=tcp/555
esp=aes128-sha1
conn otherports
also=base
esp=aes256-sha1
This will also share the IKE SA, but then run into problems. I added
ikev1-connswitch-ports-01 as a test case for this (using netkey)
A simiar test with ike= is even more confusing, because sharing the IKE
means contradicting the configuration, but I'm willing to write that
down as "operator error".
Paul
More information about the Swan-dev
mailing list