[strongSwan-dev] need for calling TASK_IKE_CONFIG before TASK_CHILD_CREATE in task_manager_v2.c
martin at strongswan.org
Thu Mar 5 10:25:53 CET 2015
> What is the need for activate the TASK_IKE_CONFIG before
While these tasks get executed during the same exchange(s) with an
IKE_AUTH piggybacked CHILD_SA, the order is still important. If a
virtual IP is negotiated, this must be done beforehand. The CHILD_SA
IPsec policy usually depends/derives from that virtual IP, as the tunnel
usually is negotiated explicitly to the assigned IP.
> Logically ip address assignment should succeed TASK_CHILD_CREATE.
No, that won't work in strongSwan. CHILD_SA setup depends on the virtual
IP to install IPsec policies and associated routing entries.
More information about the Dev