[Swan-dev] Q: mobike on kernel without mobike: load or not load the connection

Antony Antony antony at phenome.org
Wed Jun 12 15:18:13 UTC 2019

On Tue, Jun 11, 2019 at 06:35:26PM -0400, Paul Wouters wrote:
> See https://github.com/libreswan/libreswan/issues/221
> Currently:
> - if local connection has mobike=yes but kernel support disabled -> fail
>   to load the connection. IPsec tunnel fails
> - if local connection has mobike=yes but IKE negotiation resulted in
>   peer not supporting mobike -> succeeds connection but without mobike
> The question is whether in the first case, we shouldn't really just
> setup the connection but without mobike, perhaps log a big warning?

When an end knows the kernel do not suppor mobike and respond or initiate 
with MOBIKE support, it is lying in the negotiation. It clearly know a 
feature can't be supported.

1. To me that is gross violation in ike negotiation. The concept should be if 
you send a notify honer it when time comes.
2. IKE is a hard to debug, especially from the other side, protocol by 
design. Early, clear, failure is a good idea.
In this case sending a mobike supported notify and doing weird things when 
the other end actually request it, it is bad idea for IKE.
3. I don't understand someone want to keep unsupported options in 
connection. Are they copy pasting connection between supported and 
I know this breaks our left/right argument if one side support and the other 
do not.

> What do people prefer? Close 221 without changes and keep current
> situation, or change code to allow loading the connection and bringing
> it up without mobike ? 

first one. Do not lie in IKE negotiations. 

when you commit something over the over the wire, better be sure you can do 
it when the time comes.
It is not about the cases where things appear to work for now, but about 
being honest in negotiations. I am not going to defend other examples, or 

More information about the Swan-dev mailing list