[strongSwan-dev] 5.2.2 - Bug in child SA interface to kernel?
Martin Willi
martin at strongswan.org
Fri Mar 6 14:22:52 CET 2015
Hi Ryan,
> The 3rd to last argument to "add_sa" is the "update" flag, but the kernel
> interface specifies this as the "inbound" flag.
The logic is actually correct, because "inbound" SAs must be installed
as "update" operation in most backends. For inbound SAs, an SPI has been
previously allocated, and the Netlink and PF_KEY interfaces expect an
"update" instead of an "add" operation for that SA.
I agree that it makes sense to just pass the inbound flag and let the
kernel backend decide what is required to do. This has been changed some
time ago in the master branch with [1].
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=698ed656
More information about the Dev
mailing list