[Swan-dev] attributing IKE problems to the IKE SA
Andrew Cagney
andrew.cagney at gmail.com
Tue Mar 3 22:23:10 UTC 2020
Testing offloading of AUTH on the initiator (vs the responder where
much of this is hidden) turned up an interesting logging change,
consider this log:
-002 "westnet-eastnet-ikev2" #2: certificate verified OK:
E=user-east at testing.libreswan.org,...
+002 "westnet-eastnet-ikev2" #1: certificate verified OK:
E=user-east at testing.libreswan.org,...
previously the authentication log message was attributed to the CHILD
SA (I think this was wrong) but with offloading it (I think correctly)
attributed to the IKE SA.
It happens because the offloaded AUTH code only has the IKE SA's
logging context (and I see no point in dragging over the CHILD SAs
context when it's wrong).
Andrew
More information about the Swan-dev
mailing list