Hi Again;<br><br>As you may know Im trying to code some features to make some test concerning High Availability.<br><br>I wanted to launch my own "ipsec get <connection name>" command in order to get a whole ESTABLISHED IKE_SA.<br>
<br>I first wanted to understand how the keywords (concerning <b>stroke</b> backend) works. <br>When I launched the following command: "ipsec up <myconnection>" I see that the ipsec script invokes the "${IPSEC_DIR}/stroke up $1", then, once inside <b>stroke.c</b> at the <b><i style="color: rgb(0, 153, 0);">main</i> </b>function, there is a <b><i>switch(token-><span style="color: rgb(51, 204, 0);">kw</span>)</i></b> for each keyword depending if the stroke invocation was an add , delete, up, down, etc. Inside this switch I added my own "STROKE_GET" keyword, as well as in the others keywords files concerned (in order to recognize the keyword itself <i>stroke_keywords.c</i>, etc).<br>
<br>Having a look to STROKE_UP case, I noticed that it calls a function named <b>initiate_connection()</b> which sends the <b>STR_INITIATE msg.type</b> . What I don't get is: How the connection is launched then? <br>
By the way, I could see that the message is sent through the socket <b>send_stroke_msn(&msg).</b><b><br><br></b>I believed that the <b>process()</b> function (in libcharon/plugins/stroke/stroke_socket.c) concerning the stroke request has to be called in order to launch an STR_INITIATE. But I cannot say what's happening once <b>send_stroke_msg() </b>returns.<br>
<br>Does strongswan invokes the stroke_control_t.initiate implementation in order to send a IKE_INIT? <br><br>Well, hope you could help me guys!<br>Thanks in advance;<br><br clear="all">Daniel<br>
<br><br><div class="gmail_quote">2011/4/26 Yaron Sheffer <span dir="ltr"><<a href="mailto:yaronf.ietf@gmail.com">yaronf.ietf@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Hi Daniel,<br>
<br>
the draft should be approved by the IESG (the main governing body of the IETF) in the next few weeks, and possibly earlier. After that, it may take a few months for it to be published as an RFC, but it will not (cannot) be changed significantly, or we will have to go through the approval process again. In other words, after IESG approval it is stable enough to be implemented safely.<br>
<br>
No, it wasn't developed under StrongSwan. Most of the ideas originated with my Cisco co-authors.<br>
<br>
The IPsec standards work takes place on the <a href="mailto:ipsec@ietf.org" target="_blank">ipsec@ietf.org</a> mailing list, which you might want to follow.<br>
<br>
Thanks,<br>
Yaron<div class="im"><br>
<br>
On 04/26/2011 11:55 AM, Daniel Palomares wrote:<br>
</div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div class="im">
Hi Yaron,<br>
<br>
Ok, I will take a look.<br>
<br>
Do you know (more or less) when would you have the response concerning<br>
the draft turning to RFC? And have you developed this proposed draft<br>
under strongswan?<br>
<br>
Thank you again,<br>
<br>
<br>
Daniel Palomares<br>
<br>
<br>
2011/4/24 Yaron Sheffer <<a href="mailto:yaronf.ietf@gmail.com" target="_blank">yaronf.ietf@gmail.com</a><br></div>
<mailto:<a href="mailto:yaronf.ietf@gmail.com" target="_blank">yaronf.ietf@gmail.com</a>>><div><div></div><div class="h5"><br>
<br>
Hi,<br>
<br>
we have an Internet draft that deals with exactly these issues:<br>
<a href="http://tools.ietf.org/html/draft-ietf-ipsecme-ipsecha-protocol-05" target="_blank">http://tools.ietf.org/html/draft-ietf-ipsecme-ipsecha-protocol-05</a><br>
<br>
This is a bit late in the game (we are already past IETF Last Call),<br>
but I suggest that you take a look, and I would appreciate any comments.<br>
<br>
Thanks,<br>
Yaron<br>
<br>
<br>
On 04/22/2011 10:53 AM, Martin Willi wrote:<br>
<br>
Hi Daniel,<br>
<br>
In the other hand, I don't get why a HA_IKE_ADD<br>
synchronization type<br>
message would be generated from a "ike_keys" listener?<br>
Could someone<br>
help me on this?<br>
<br>
<br>
We follow the IKEv2 protocol relatively strict to synchronize<br>
IKE_SAs,<br>
we synchronize the information as soon as we get it. This allows<br>
us to<br>
keep as little additional state as possible for synchronization,<br>
and it<br>
was relatively easy to implement into the existing code base.<br>
<br>
The HA_IKE_ADD messages is triggered during the IKE_SA_INIT<br>
exchange,<br>
where the key material is generated. This won't synchronize a<br>
complete<br>
IKE_SA yet, just what we get during IKE_SA_INIT. After<br>
establishment, we<br>
pass all the remaining state using HA_IKE_UPDATE.<br>
<br>
So I'm working on the transfer of a Security Association<br>
from one node<br>
to another, for achieving this I'm taking ideas from the<br>
ha_plugin of<br>
course.<br>
My goal is not to synchronize every SA on a cluster but to<br>
take a SA<br>
whenever I want and then been able to install it anywhere else.<br>
<br>
<br>
We explicitly synchronize only basic information for kernel<br>
level SAs,<br>
but not the sequence numbers. They are moving just to fast if<br>
you have<br>
traffic on the tunnel. If a node fails and you reuse the sequence<br>
numbers from a single second ago, your outgoing sequence numbers are<br>
already outdated and your traffic gets dropped. Therefore we use our<br>
extended ClusterIP functionality to keep sequence numbers in sync.<br>
<br>
Best regards<br>
Martin<br>
<br>
<br>
_______________________________________________<br>
Dev mailing list<br></div></div>
<a href="mailto:Dev@lists.strongswan.org" target="_blank">Dev@lists.strongswan.org</a> <mailto:<a href="mailto:Dev@lists.strongswan.org" target="_blank">Dev@lists.strongswan.org</a>><div class="im"><br>
<a href="https://lists.strongswan.org/mailman/listinfo/dev" target="_blank">https://lists.strongswan.org/mailman/listinfo/dev</a><br>
<br>
<br>
</div></blockquote>
</blockquote></div><br>