[strongSwan] MOBIKE
Tobias Brunner
tobias at strongswan.org
Mon Aug 29 17:56:34 CEST 2011
Hi Patricia,
> Can this packet be tunneled at that point? are initiator and responder
> updating the SAs after the liveness test? I think this packet should not
> be received through the tunnel until the handover process ends.
>
> Is the return routability check activated by default? by who?
In the current implementation charon as the initiator of a MOBIKE
exchange updates the IPsec SAs right after it determined a working
address pair. At the same time, it sends the address update which also
includes a COOKIE2 payload, thus, is acting as routability check. The
responder only updates the addresses of the IPsec SAs after receiving an
address update. Since the observed ESP packet and the address update do
not necessarily have to arrive in that order, it could very well be that
the other peer successfully receives the ESP packet.
Regards,
Tobias
More information about the Users
mailing list