Project

General

Profile

Feature #129

Relations between ike/child/peer_cfg

Added by Martin Willi over 9 years ago. Updated almost 9 years ago.

Status:
Assigned
Priority:
Normal
Assignee:
Category:
libcharon
Target version:
-
Start date:
13.05.2011
Due date:
Estimated time:
Resolution:

Description

The relations between child_cfg/peer_cfg are too strict:

Reloading configurations through ipsec reload deletes child_cfg attached to peer_cfgs, even if in use by an IKE_SA. This prevents a CHILD_SA from rekeying, as no child_cfg is available anymore for the peer_cfg refcounted by the IKE_SA. We either have to store a reference for the child_cfg too, or even better look up the connections during rekeying globally.

A different issue concerns the relation between peer_cfg/ike_cfg:

The relation is not strict enough: As responder, it is currently not possible to enforce a ike_cfg for a peer_cfg selected later during authentication. Limiting peer_cfgs to the addresses specified in the associated ike_cfg is not possible, either.


Related issues

Related to Bug #400: Routed connections lost with reloadClosed03.09.2013
Related to Issue #1338: problem with changing esp algorithm in strongswanFeedback06.03.2016
Blocks Bug #397: Receive TS_UNACCEPTABLE errorsNew01.09.2013

History

#1 Updated by Tobias Brunner over 9 years ago

  • Target version changed from 4.5.3 to 4.6.0

#2 Updated by Tobias Brunner almost 9 years ago

  • Target version deleted (4.6.0)

#3 Updated by Tobias Brunner over 4 years ago

  • Related to Issue #1338: problem with changing esp algorithm in strongswan added

Also available in: Atom PDF