[Swan-dev] IKEv2 IKE_AUTH responder no longer does an ike->child shuffle
andrew.cagney at gmail.com
Tue May 18 14:11:10 UTC 2021
Heads up. The way the IKEv2 responder behaves (at least for IKE_AUTH) has
ikev2: in IKE_AUTH responder, handle child sa as a nested state
i.e., in IKE_AUTH responder, don't switch to the child part way through
- add v2_child_sa_established() to perform transition
- change the existing half IKE / half CHILD state transition to
- drop code pexpecting next state to be a child
Since there's no IKE->CHILD switch it is, in theory, possible to create a
childless IKE SA.
Realty will beg to differ. Anyone looking at the code will see that the
IKE and CHILD code paths are still not well separated. I'm planning on
looking at that once I've an initiator capable of sending childess IKE_AUTH
Before/after test results are:
and there seems to be a few regressioins:
- looks like I drop an audit record
- informational exchanges aren't quite right
I was going to look at those once the initiator is updated.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan-dev