[Swan-dev] fixing Windows rekeying

Antony Antony antony at phenome.org
Wed Apr 29 17:21:02 UTC 2020


On Wed, Apr 29, 2020 at 06:21:02PM +0200, Antony Antony wrote:
> On Wed, Apr 29, 2020 at 10:44:36AM -0400, Paul Wouters wrote:
> > On Wed, 29 Apr 2020, Antony Antony wrote:

> > Additionally, as I pointed out there is the issue of addresspool without
> > narrowing=yes working in the Initial Exchanges, and the reason I did not
> > push my patch yet was that we were still talking about whether having
> > an addresspool should imply narroing or not. For rekey, this issue comes
> > back. I assume your bestfit/scoring code also looks at the NARROWING
> > policy to determine if only an exact match is allowed or a narrowed
> > one is also allowed, so existing deployments with 3.30 or older that
> > do not use narrowing=yes with an addresspool would break clients on rekey.
> 
> I will check this one I guess testcase has responder narrowing yes.
> If you have test case please point me.

I don't think the patch I sent need narrowing yes on the responder for RW.
I just checked with ikev2-child-rekey-09-windows 
-       narrowing=yes 

It is a RW Windows test.
002 "road-east-x509-ipv4"[1] 192.1.2.23 #2: received INTERNAL_IP4_ADDRESS 192.0.2.100

test seems to work as expected without . Reasons to belived narrowing=yes is 
not aditional requirement this patch would add. May be I missed something!

PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5'

An earlier version of the patch needed that then I relaized that whole logic 
different. And fixed it.



More information about the Swan-dev mailing list