[Swan-dev] reggression testcase ikev2-connswitch-01

Paul Wouters paul at nohats.ca
Fri Jan 24 12:33:32 UTC 2020


On Fri, 24 Jan 2020, Tuomo Soini wrote:

>> It is not a regression. It is a fix. It does show we have another
>> problem with connswitching. This issue, and the OE shunt issue
>> and the two release blockers for 3.30
>
> While it might be a fix it is a regression. It causes first matching
> connection to fail instead of trying to find out a proper match.
>
> If it is a fix, it is a wrong fix. You tried exactly same fix before and
> we ended up reverting it because it broke responder.

It is not wrong. It is incomplete. A larger chunk around choosing and
switching connection is needed, because the current way cannot be
extended without running into a problem of potentially looping
between switching from A to B to A and never finding C.

> This fix won't work and breaks all connection switching on responder.

Yes.

> Failure happens at wrong place in code.

The failure is right but the code needs to be extended to try and
continue and switch, remembering it MUST NOT continue without
switching - which is what is happening without this change.

For instance all the "not %any ID" test cases that check if we
properly fail mismatched IKE ID / Cert ID fail without this (partial)
fix.

I'm working on fixing the next part of this larger issue.

Paul


More information about the Swan-dev mailing list