[strongSwan-dev] rationale of reqid update on responder side

Christophe Gouault christophe.gouault at 6wind.com
Tue May 21 17:22:27 CEST 2013


Hi strongswan developers,

I am wondering about the way policy reqids are handled by charon.

As far as I understand, for each connection in ipsec.conf, a CHILD_SA is 
routed: a trap CHILD_SA
is created with an initial reqid, and IPsec policies are configured in 
the kernel with this reqid.

When completing a negotiation as initiator, a CHILD_SA is created with 
the reqid unchanged.
When completing a negotiation as responder, a CHILD_SA is created with 
an incremented reqid and
the policy is updated accordingly.

Why does charon behave differently whether it is initiator or responder?
What is the purpose of changing the CHILD_SA reqid in the responder case?


Changing the reqid when responder has 2 adverse effects:

- IPsec SAs previously negotiated for this policy can no more be used
   (although the remote initiator may still use them)
- the reqid is used to identify various objects, but some of them are 
not updated.
   For example, if the responder (our side) later tries to initiate a 
negotiation,
   the acquire message is dropped,because the trap CHILD_SA that was 
supposed
   to handle it is still configured with the old reqid.

Sorry if this question was already asked, but could someone explain me 
the rationale of reqid update on responder side?

Best Regards,
Christophe




More information about the Dev mailing list