[strongSwan-dev] handling phase 2 creation with Juniper SRX - is this a bug?
Martin Willi
martin at strongswan.org
Mon Jul 14 11:12:17 CEST 2014
Hi,
> In process_r, you check if the informational message is a DELETE
> message. Is this necessary? I am concerned that if this message is not
> a delete, but another informational message that the FW sends for
> whatever reason, we return SUCCESS, which would delete this task and
> could lead to the same problem.
This is the original behavior we had, and I'd like to avoid changing
that if there is no specific reason to do so.
Unfortunately IKEv1 is not that well standardized that we can predict
the peer behavior. It is actually possible that it indicates Quick mode
failure with such an INFORMATIONAL (where returning SUCCESS is the
correct behavior). It will most likely include a notify payload then,
but not sure if we can rely on that.
The only non-delete INFORMATIONALs that I can think of at this stage are
DPD checks. These are caught in the task manager and never hit the task,
so should be no problem.
Regards
Martin
More information about the Dev
mailing list