[Swan-dev] IKEv1: Remove all IPsec SA's of a connection when newest SA is removedrefs/heads/master
Paul Wouters
paul at nohats.ca
Fri Aug 28 01:26:56 EEST 2015
On Wed, 26 Aug 2015, D. Hugh Redelmeier wrote:
> | From: Paul Wouters <paul at nohats.ca>
>
> | It is not authenticated, but you can remember the payload and once the
> | connection has authenticated, you can kill the old one based on having
> | received the payload.
>
> No, because a man in the middle could have added the payload. If I
> remember correctly.
Note that we do not change behaviour based on setting initial-contact.
We only send it to make remote peers happy.
For us, we rely on uniqueid= and if it is set to yes (the default) then
we will kill the old SA regardless of initial-contact setting. If it is
set to no, we will _not_ kill it regardless of initial-contact setting.
Paul
More information about the Swan-dev
mailing list