[strongSwan-dev] [PATCH 0/8] Rebased dmvpn patches for strongSwan 5.3.0

Timo Teras timo.teras at iki.fi
Mon May 4 14:31:32 CEST 2015

On Mon, 04 May 2015 13:49:53 +0200
Martin Willi <martin at strongswan.org> wrote:

> Timo,
> > This is resend of the patches related to my dmvpn work. The
> > patch sethas been rebased for strongSwan 5.3.0. I've verified
> > that the first five patches work as expected. Please consider
> > applying them.
> Thanks for respinning the patches. For now I've applied patches 1-4 to
> master with some minor style changes. Tobias may better judge the
> remaining patches, as he has done and knows better that trap-any work.

Thanks. Please consider applying the fifth patch also. It is not
related to trap-any as such. And in fact, the trap-any patches are
optional for dmvpn (depending what type of ipsec policy one wants to
use). I'm actually leaning towards defaulting to not using it.

I do have few follow up patches also in queue. To pass the remote's
certificate for {ike,child}-updown notifications.

The other patch is for allowing to subscribe ike/child-sa state change
notifications on state type bases. This seems to be potentially
unneeded if the -updown notification down trigger gets fixed.
Apparently the down notification is sent when a child-sa in INSTALLED
state gets deleted. But this is wrong if e.g. that SA gets deleted and
other REKEYED SAs exist still. This seems to be related to:

But I'll try to finish up my quagga/nhrp module to usable state next,
and then send all remaining patches. Lot of code already exists, and
the vici interface is completed mostly. I should have a development
version out soon(ish).


More information about the Dev mailing list