Feature #129
Relations between ike/child/peer_cfg
| Status: | Assigned | Start date: | 13.05.2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | Martin Willi | % Done: | 0% | |
| Category: | libcharon | |||
| Target version: | - | |||
| Resolution: |
Description
The relations between child_cfg/peer_cfg are too strict:
Reloading configurations through ipsec reload deletes child_cfg attached to peer_cfgs, even if in use by an IKE_SA. This prevents a CHILD_SA from rekeying, as no child_cfg is available anymore for the peer_cfg refcounted by the IKE_SA. We either have to store a reference for the child_cfg too, or even better look up the connections during rekeying globally.
A different issue concerns the relation between peer_cfg/ike_cfg:
The relation is not strict enough: As responder, it is currently not possible to enforce a ike_cfg for a peer_cfg selected later during authentication. Limiting peer_cfgs to the addresses specified in the associated ike_cfg is not possible, either.
History
#1 Updated by Tobias Brunner almost 2 years ago
- Target version changed from 4.5.3 to 4.6.0
#2 Updated by Tobias Brunner over 1 year ago
- Target version deleted (
4.6.0)