[strongSwan] MOBIKE
Tobias Brunner
tobias at strongswan.org
Thu Jul 28 17:49:04 CEST 2011
Hi Patricia,
> it seems that some packets leave the tunnel during the handover
> process.
I just checked in some changes to fix this problem [1]. These changes
will be included in the upcoming 4.5.3 release.
The reason for the behavior you are observing is that charon, when it
updates an IPsec SA, as caused by MOBIKE, first deletes and then readds
the policies in the kernel. Within the short timeframe during which no
matching policy is installed in the kernel unencrypted packets could
have been transmitted. To avert this the existing policies are now
replaced with DROP policies which in turn get replaced with the new
policies. The DROP policies effectively prevent any unencrypted packets
from leaving (or entering) the host.
Regards,
Tobias
[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=fbedc6a4
http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d7a59f19
http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=f1c1965d
More information about the Users
mailing list