[Swan-dev] delay when initiator gets their IKE AUTH request rejected

Andrew Cagney andrew.cagney at gmail.com
Mon May 24 18:19:51 UTC 2021

The code currently works like this:
- initiator IKE SA creates CHILD SA and switches to it
- initiator CHILD SA sends IKE AUTH request
- initiator sprinkles timers such as retransmit and expire over IKE and
time passes
- responder sends back an AUTH rejection (doesn't really matter what, just
not a child rejection)
- rejection is passed to CHILD SA (see switch above)
- child SA returns FAIL and is deleted
 time passes
- ike IKE SA gets a timer event and that triggers a retry

Now, if the code is changed so that the IKE SA initiator is in control, the
rejection goes to the IKE SA, and it is the IKE SA that gets deleted.  This
triggers an immediate retry.

Should it?  I tend to suspect it shouldn't (back off) and the current
behaviour was somewhat intentional.  If that's the case then what
configuration knob should control it?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210524/9cd2f676/attachment.html>

More information about the Swan-dev mailing list