[strongSwan-dev] 5.2.2 - Bug in child SA interface to kernel?

Ryan Ruel ryan at ryanruel.com
Fri Mar 6 14:39:39 CET 2015

Ah ok.  That makes sense, thanks Martin.


On Fri, Mar 6, 2015 at 8:22 AM, Martin Willi <martin at strongswan.org> wrote:

> Hi Ryan,
> > The 3rd to last argument to "add_sa" is the "update" flag, but the kernel
> > interface specifies this as the "inbound" flag.
> The logic is actually correct, because "inbound" SAs must be installed
> as "update" operation in most backends. For inbound SAs, an SPI has been
> previously allocated, and the Netlink and PF_KEY interfaces expect an
> "update" instead of an "add" operation for that SA.
> I agree that it makes sense to just pass the inbound flag and let the
> kernel backend decide what is required to do. This has been changed some
> time ago in the master branch with [1].
> Regards
> Martin
> [1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=698ed656
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150306/c17ef9cd/attachment.html>

More information about the Dev mailing list