[strongSwan-dev] 5.2.2 - Bug in child SA interface to kernel?
martin at strongswan.org
Fri Mar 6 14:22:52 CET 2015
> The 3rd to last argument to "add_sa" is the "update" flag, but the kernel
> interface specifies this as the "inbound" flag.
The logic is actually correct, because "inbound" SAs must be installed
as "update" operation in most backends. For inbound SAs, an SPI has been
previously allocated, and the Netlink and PF_KEY interfaces expect an
"update" instead of an "add" operation for that SA.
I agree that it makes sense to just pass the inbound flag and let the
kernel backend decide what is required to do. This has been changed some
time ago in the master branch with .
More information about the Dev