[Swan-dev] IKEv2 revival

[Andrew Cagney]

I just pushed code to implement liveness probes using the retransmit
timer.  When retransmits time-out:

- if the IKE SA hasn't established, it does a 'retry' using
ipsecdoi_replace(st, try)

- else, presumably the IKE SA is established, and it calls
liveness_action(); I suspect this doesn't handle multiple children, and
know it won't handle an IKE exchange timing out

(there's also add_revival(), but I'm not sure if that applies here?  And
there's pending ...)

So my question is what should happen?

- are the established and not established paths really that different (for
instance an established IKE SA may have an incomplete CHILD SA)

- do established CHILD SAs linger so that the IPsec connection is 'up'
(even though evidence suggests it is dead)

- and I have to wonder what the difference between replace and pending is
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200427/a345f1f7/attachment.html>