[Swan-dev] analyses of regression in test ikev2-ike-rekey-03
Antony Antony
antony at phenome.org
Sat Jun 23 07:39:53 UTC 2018
thanks Paul. It should fix the common case.
Now that you saw ike-rekey works - migrates child sa.
I will bring up my concern again of handling uniqueids again.
uniqueid related logic (ISAKMP_SA_established) called during ike rekey seems wrong to me.
pst->st_seen_initialc is from the previous INIT exchange.
Wouldn't your fixes wrongly take action during an ike-rekey?
The initial contact was sent in the init?
I am also considering to set st_seen_initialc=false after
duplicating state for IKE rekey.
I wonder if why can carry over st_seen_initialc from to newely rekeyed IKE state.
regards,
-antony
On Mon, Jun 18, 2018 at 11:07:27AM -0400, Paul Wouters wrote:
> On Sat, 16 Jun 2018, Antony Antony wrote:
>
> > Subject: Re: analyses of regression in test ikev2-ike-rekey-03
>
> I updated 9bd57bb654b501 to no longer delete obsoleted IPsec SA states.
>
> This addresses the interop issues with Windows that Izone was seeing,
> and seems to fix ikev2-ike-rekey-03. I have to look through the full
> testrun once it completes to see if there is any regression on having
> multiple IPsec SA's, but seems the old one is getting unrouted
> properly.
>
> Paul
More information about the Swan-dev
mailing list