[strongSwan-dev] handling phase 2 creation with Juniper SRX - is this a bug?

SM K sacho.polo at gmail.com
Mon Jul 14 19:57:23 CEST 2014


Hi Martin,

I tested the fix and it works. Thank you for the patch.
I concur with your explanation above. I think this fix can go into the main
branch.

Thanx,
sach


On Mon, Jul 14, 2014 at 2:12 AM, Martin Willi <martin at strongswan.org> wrote:

> Hi,
>
> > In process_r, you check if the informational message is a DELETE
> > message. Is this necessary? I am concerned that if this message is not
> > a delete, but another informational message that the FW sends for
> > whatever reason, we return SUCCESS, which would delete this task and
> > could lead to the same problem.
>
> This is the original behavior we had, and I'd like to avoid changing
> that if there is no specific reason to do so.
>
> Unfortunately IKEv1 is not that well standardized that we can predict
> the peer behavior. It is actually possible that it indicates Quick mode
> failure with such an INFORMATIONAL (where returning SUCCESS is the
> correct behavior). It will most likely include a notify payload then,
> but not sure if we can rely on that.
>
> The only non-delete INFORMATIONALs that I can think of at this stage are
> DPD checks. These are caught in the task manager and never hit the task,
> so should be no problem.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20140714/a75d3e54/attachment.html>


More information about the Dev mailing list