[Swan-dev] how pluto handling AUTH error notifications

Andrew Cagney andrew.cagney at gmail.com
Tue Mar 20 17:19:33 UTC 2018


On 20 March 2018 at 12:39, Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 20 Mar 2018, Andrew Cagney wrote:
>
>> Here, the responder accepted the AUTH request but rejected the
>> attached CHILD SA request (hopefully it still replied with its own
>> AUTH credentials, I'm not sure, but if we're deleting the IKE SA it
>> isn't critical).
>
>
> It should keep the IKE SA and return NO_PROPOSAL_CHOSEN ?

Yes, it should.

Pluto as the responder gets it half right.  It:

- keeps the IKE SA around
- sends back NO_PROPOSAL_CHOSEN

but (more digging, ikev2-algo-sha2-05):

- it doesn't send back its own credentials (they get written to the
output PBS, but then that gets reset before sending the failure)

Pluto as the initiator currently gives up.
(in the past it would ignore the response completely).


> And delete any child sa state if it had already created it (but prob
> not)
>
> Paul


More information about the Swan-dev mailing list