[Swan-dev] Q: mobike on kernel without mobike: load or not load the connection

Tuomo Soini tis at foobar.fi
Wed Jun 12 10:00:10 UTC 2019


On Tue, 11 Jun 2019 18:35:26 -0400 (EDT)
Paul Wouters <paul at nohats.ca> wrote:

> See https://github.com/libreswan/libreswan/issues/221
> 
> Currently:
> 
> - if local connection has mobike=yes but kernel support disabled ->
> fail to load the connection. IPsec tunnel fails
> - if local connection has mobike=yes but IKE negotiation resulted in
>    peer not supporting mobike -> succeeds connection but without
> mobike
> 
> The question is whether in the first case, we shouldn't really just
> setup the connection but without mobike, perhaps log a big warning?

No. We really need to fail loading the connectin if mobike=yes is set
and we don't support mobike. We have exactly similar behaviour with
nic-offload. You can't even set nic-offload=no if nic-offload support
is not build in.

> What do people prefer? Close 221 without changes and keep current
> situation, or change code to allow loading the connection and bringing
> it up without mobike ?

Close issue. We must fail to load connection requesting mobike if
mobike support is not available. Or we soon get bug reports about
mobike not working.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>


More information about the Swan-dev mailing list