[Swan-dev] IKEv1 and XFRMi interface

Paul Wouters paul at nohats.ca
Wed Sep 16 13:53:49 UTC 2020

On Wed, 16 Sep 2020, Antony Antony wrote:

> I had a quic look. IKEv1 need extra message (3 round trips) as opposed to
> IKEv2(2 round trips). And initiator is installing policies in different
> order.

Yes, I mentioned this in the team email two days ago. That is indeed the
source of the problem.

> the test outputs as it is now are confusing because it seems a copy of IKEv2
> outputs. May be create tests with eastnet-westnet,  delete IKEv2 output and
> updated with broken IKEv1 outout. That would make analysing it quicker.

I created copies of the IKEv2 tests for IKEv1. So whatever is tested for
IKEv2 is tested for IKEv1. I can surely add a test case if it is missing
for a subnet to subnet test for both IKEv1 and IKEv2 if that is missing.

> A better fix would be adding IKE pass policies, aka IKE holes, as XFRM
> policies. I suspect there are also ways add routing policie instead of XFRM
> polices, that is possibly what Android is doing.

Creating XFRM holes is dangerous. There might be overlapping
machines/connections (eg extrusion on the far side related issues)

Can you say a bit more about adding routing policies? It seems that fix
seems a better fit, as the problem right now is caused by routing to the

> One thing that would help to add IKE policies is use of  struct kernel_sa
> netlink_raw_eroute() same as  netlink_add_sa().  Now that KLIPS is gone we
> make this change. Keeping the shunt code as it is.

What is wrong with the current method for IKE holes? I don't fully
understand what you are saying here. Could you elaborate a bit more?


More information about the Swan-dev mailing list