[Swan-dev] IKEv2 IKE_AUTH responder no longer does an ike->child shuffle

Andrew Cagney andrew.cagney at gmail.com
Tue May 18 14:11:10 UTC 2021

Heads up.  The way the IKEv2 responder behaves (at least for IKE_AUTH) has

    ikev2: in IKE_AUTH responder, handle child sa as a nested state

    i.e., in IKE_AUTH responder, don't switch to the child part way through
    the transition

    - add v2_child_sa_established() to perform transition
    - change the existing half IKE / half CHILD state transition to
strictly IKE
    - drop code pexpecting next state to be a child

Since there's no IKE->CHILD switch it is, in theory, possible to create a
childless IKE SA.
Realty will beg to differ.  Anyone looking at the code will see that the
IKE and CHILD code paths are still not well separated.  I'm planning on
looking at that once I've an initiator capable of sending childess IKE_AUTH

Before/after test results are:
and there seems to be a few regressioins:
- looks like I drop an audit record
- informational exchanges aren't quite right
I was going to look at those once the initiator is updated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210518/228040a9/attachment.html>

More information about the Swan-dev mailing list