[Swan-dev] IKEv1 and XFRMi interface
paul at nohats.ca
Wed Sep 16 13:53:49 UTC 2020
On Wed, 16 Sep 2020, Antony Antony wrote:
> I had a quic look. IKEv1 need extra message (3 round trips) as opposed to
> IKEv2(2 round trips). And initiator is installing policies in different
Yes, I mentioned this in the team email two days ago. That is indeed the
source of the problem.
> the test outputs as it is now are confusing because it seems a copy of IKEv2
> outputs. May be create tests with eastnet-westnet, delete IKEv2 output and
> updated with broken IKEv1 outout. That would make analysing it quicker.
I created copies of the IKEv2 tests for IKEv1. So whatever is tested for
IKEv2 is tested for IKEv1. I can surely add a test case if it is missing
for a subnet to subnet test for both IKEv1 and IKEv2 if that is missing.
> A better fix would be adding IKE pass policies, aka IKE holes, as XFRM
> policies. I suspect there are also ways add routing policie instead of XFRM
> polices, that is possibly what Android is doing.
Creating XFRM holes is dangerous. There might be overlapping
machines/connections (eg extrusion on the far side related issues)
Can you say a bit more about adding routing policies? It seems that fix
seems a better fit, as the problem right now is caused by routing to the
> One thing that would help to add IKE policies is use of struct kernel_sa
> netlink_raw_eroute() same as netlink_add_sa(). Now that KLIPS is gone we
> make this change. Keeping the shunt code as it is.
What is wrong with the current method for IKE holes? I don't fully
understand what you are saying here. Could you elaborate a bit more?
More information about the Swan-dev