[strongSwan-dev] need for calling TASK_IKE_CONFIG before TASK_CHILD_CREATE in task_manager_v2.c

Ravikanth Gmail vvnrk.vanapalli at gmail.com
Thu Mar 5 14:32:03 CET 2015


Dear Martin,
    When the tunnel end point assigns us a virtual ip..Can't we use this virtual IP and proceed with child SA setup??
Why should IP address assignment to interface happen first and then child SA setup proceed..? for child SA to be setup Strongswan internal data structures already have the virtual IP.
 My understanding was ip address assignment to interface can happen later after child SA is negotiated with tunnel end point using the virtual ip stored in the Strongswan internal data structures.
 Please let me know your thoughts on this approach.

Thanks,
Ravikanth

> On Mar 5, 2015, at 4:25 AM, Martin Willi <martin at strongswan.org> wrote:
> 
> Hi,
> 
>>  What is the need for activate the TASK_IKE_CONFIG before
>> TASK_CHILD_CREATE.
> 
> While these tasks get executed during the same exchange(s) with an
> IKE_AUTH piggybacked CHILD_SA, the order is still important. If a
> virtual IP is negotiated, this must be done beforehand. The CHILD_SA
> IPsec policy usually depends/derives from that virtual IP, as the tunnel
> usually is negotiated explicitly to the assigned IP.
> 
>> Logically ip address assignment should succeed TASK_CHILD_CREATE.
> 
> No, that won't work in strongSwan. CHILD_SA setup depends on the virtual
> IP to install IPsec policies and associated routing entries.
> 
> Regards
> Martin
> 


More information about the Dev mailing list