[strongSwan] MOBIKE

Tobias Brunner tobias at strongswan.org
Thu Jul 28 17:49:04 CEST 2011

Hi Patricia,

 > it seems that some packets leave the tunnel during the handover
 > process.

I just checked in some changes to fix this problem [1].  These changes 
will be included in the upcoming 4.5.3 release.

The reason for the behavior you are observing is that charon, when it 
updates an IPsec SA, as caused by MOBIKE, first deletes and then readds 
the policies in the kernel.  Within the short timeframe during which no 
matching policy is installed in the kernel unencrypted packets could 
have been transmitted.  To avert this the existing policies are now 
replaced with DROP policies which in turn get replaced with the new 
policies.  The DROP policies effectively prevent any unencrypted packets 
from leaving (or entering) the host.


[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=fbedc6a4

More information about the Users mailing list