[Swan-dev] IKEv2 revival
Andrew Cagney
andrew.cagney at gmail.com
Tue Apr 28 16:05:35 UTC 2020
Adding to the list of functions that revive ...
On Mon, 27 Apr 2020 at 12:06, Andrew Cagney <andrew.cagney at gmail.com> wrote:
> I just pushed code to implement liveness probes using the retransmit
> timer. When retransmits time-out:
>
> - if the IKE SA hasn't established, it does a 'retry' using
> ipsecdoi_replace(st, try)
>
> - else, presumably the IKE SA is established, and it calls
> liveness_action(); I suspect this doesn't handle multiple children, and
> know it won't handle an IKE exchange timing out
>
> (there's also add_revival(), but I'm not sure if that applies here? And
> there's pending ...)
>
> So my question is what should happen?
>
> - are the established and not established paths really that different (for
> instance an established IKE SA may have an incomplete CHILD SA)
>
> - do established CHILD SAs linger so that the IPsec connection is 'up'
> (even though evidence suggests it is dead)
>
> - and I have to wonder what the difference between replace and pending is
>
- a rekey (the obvious next candidate for doing proper retransmits) calls
v2_event_sa_replace()
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200428/8428aaf9/attachment.html>
More information about the Swan-dev
mailing list