[Swan] ipsec auto --status output changes

[Paul Wouters]

On Fri, 21 Jun 2013, Antony Antony wrote:

> why do we have interface names twice. It probably make sense with klips
> on netkey it appears confusing.

Actually that's a very valid point. I think it might have to do with
port 500 and port 4500, but if that's so, we should clearly list it. If
not, then we should figure out why we print it twice. I'll check this
out and follow up on that.

> if there are multiple child sa would each of those make new state object?

In theory, yes. In practise, I'm not sure if we support multiple Child
SA's with the same Parent SA. And right now those "Child SA's" are
confusingly still called "Parent SA".

For IKEv1, when we use subnetS= we just create new "connections" which
get their phase1/phase2 states. That is if you have:

conn test
 	leftsubnets={10.0.1.0/24,10.0.2.0/24}
 	rightsubnets={10.0.3.0/24,10.0.4.0/24}

then we will create "alias connections" named test1x1, test1x2, test2x1
and test2x2. That is 4 phase 1's that get 4 phase 2's. While IKEv1
allows (RFC2409):

 	A single phase 1 negotiation may be used for more than one phase 2
 	negotiation.  Additionally a single phase 2 negotiation can request
 	multiple Security Associations.

we don't really support that. But that code could have been rewritten to
have 1 phase1 with 4 phase2's. But that would violate out "connection"
vs "state" data, as currently our subnet(s)= parameters are in the
connection, and not the state.

Although with XAUTH/ModeConfig, I think we do change the phase2 parameters
depending on the IP address received.

Paul