Feature #129: Relations between ike/child/peer_cfg - strongSwan

Feature #129

Relations between ike/child/peer_cfg

Added by Martin Willi over 14 years ago. Updated over 13 years ago.

Status:

Assigned

Priority:

Normal

Assignee:

Martin Willi

Category:

libcharon

Start date:

13.05.2011

Due date:

Estimated time:

Resolution:

Description

The relations between child_cfg/peer_cfg are too strict:

Reloading configurations through ipsec reload deletes child_cfg attached to peer_cfgs, even if in use by an IKE_SA. This prevents a CHILD_SA from rekeying, as no child_cfg is available anymore for the peer_cfg refcounted by the IKE_SA. We either have to store a reference for the child_cfg too, or even better look up the connections during rekeying globally.

A different issue concerns the relation between peer_cfg/ike_cfg:

The relation is not strict enough: As responder, it is currently not possible to enforce a ike_cfg for a peer_cfg selected later during authentication. Limiting peer_cfgs to the addresses specified in the associated ike_cfg is not possible, either.

Related issues

History

#1 Updated by Tobias Brunner about 14 years ago

Target version changed from 4.5.3 to 4.6.0

#2 Updated by Tobias Brunner over 13 years ago

Target version deleted (~~4.6.0~~)

#3 Updated by Tobias Brunner over 9 years ago

Related to Issue #1338: problem with changing esp algorithm in strongswan added

Related to Bug #400: Routed connections lost with reload	Closed	03.09.2013
Related to Issue #1338: problem with changing esp algorithm in strongswan	Feedback	06.03.2016
Blocks Bug #397: Receive TS_UNACCEPTABLE errors	New	01.09.2013

Project

General

Profile