tobias at strongswan.org
Thu Jul 28 17:49:04 CEST 2011
> it seems that some packets leave the tunnel during the handover
I just checked in some changes to fix this problem . These changes
will be included in the upcoming 4.5.3 release.
The reason for the behavior you are observing is that charon, when it
updates an IPsec SA, as caused by MOBIKE, first deletes and then readds
the policies in the kernel. Within the short timeframe during which no
matching policy is installed in the kernel unencrypted packets could
have been transmitted. To avert this the existing policies are now
replaced with DROP policies which in turn get replaced with the new
policies. The DROP policies effectively prevent any unencrypted packets
from leaving (or entering) the host.
More information about the Users