[Swan-dev] reggression testcase ikev2-connswitch-01

Paul Wouters paul at nohats.ca
Fri Jan 24 11:14:51 UTC 2020

On Fri, 24 Jan 2020, Antony Antony wrote:

> while testing xfrmi Tuomo noticed reggression in connswitch code.

It is not a regression. It is a fix. It does show we have another
problem with connswitching. This issue, and the OE shunt issue
and the two release blockers for 3.30

> I didn't yet figure out why c3ac240cb is necessary. So I am not reverting
> this commit in master yet.

Do not revert it. Without it, the responder does not verify the IKE peer
ID used appears on the certificate received. While this is mostly
harmless on VPN servers (responders that accept any certificate as
long as their CA signed it, irrepective of ID/SAN) it does provide
security against a group of servers using certificates and static
connections (eg a compromise of one could result in stealing traffic
of another non-compromised node)

A number of emails were send about this on the team alias.


More information about the Swan-dev mailing list