[strongSwan-dev] [strongSwan] role of High Aavailibity plugin in installing ipsec SA keys when there is only one node in Android Client

Ravi Kanth Vanapalli vvnrk.vanapalli at gmail.com
Thu Jan 8 14:15:49 CET 2015


Dear Martin Willi,

 Thank you for clarifying this.
  Reason I asked this is I see some code in derive_keys() function in file
ike_init.c

if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
   nonce_i, nonce_r, id, prf_alg, skd))
{
return FALSE;
}
charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, chunk_empty,
  nonce_i, nonce_r, this->old_sa, NULL);

My query here was, how the keys which are computed in derive_ike_keys
function get stored in the IKE_SA.
As I see this function updates the keys in 'this->keymat'  Here 'this'
refers to ike_sa_init_t  // which is the ike sa init task..created for
performing IKE_SA_INIT exchange. How is the change of keymat in IKE_SA_INIT
task affecting the IKE_SA.

I was thinking the call to 'charonn->bus->ike_keys' updates the keys in
IKE_SA. This function ike_keys has been added by HA plugin.  Now that you
confirmed that HA plugin is not activated in android, Now i am back to my
to square one.

Could you help me point to the potential code which updates the IKE_SA keys
computed after IKE_SA_INIT exchange into IKE_SA
Your input is highly appreciated.

Thanks,
Ravikanth

On Thu, Jan 8, 2015 at 5:42 AM, Martin Willi <martin at strongswan.org> wrote:

> Hi,
>
> >  1)  There is only one node.. i.e the android client.  Why would be the
> >      need to use a HA plugin here.
>
> There really is none. The HA plugin synchronizes SA state between nodes
> in a gateway cluster. It really makes no sense to enable the plugin on
> your Android client device.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150108/f84f9ffb/attachment.html>


More information about the Dev mailing list