[strongSwan] MOBIKE
Andreas Steffen
andreas.steffen at strongswan.org
Fri Jul 29 12:14:17 CEST 2011
Hello Patricia,
release candidate 2 is available which includes Tobias' patches:
http://download.strongswan.org/strongswan-4.5.3rc2.tar.bz2
Regards
Andreas
On 07/28/2011 05:49 PM, Tobias Brunner wrote:
> Hi Patricia,
>
> > it seems that some packets leave the tunnel during the handover
> > process.
>
> I just checked in some changes to fix this problem [1]. These changes
> will be included in the upcoming 4.5.3 release.
>
> The reason for the behavior you are observing is that charon, when it
> updates an IPsec SA, as caused by MOBIKE, first deletes and then readds
> the policies in the kernel. Within the short timeframe during which no
> matching policy is installed in the kernel unencrypted packets could
> have been transmitted. To avert this the existing policies are now
> replaced with DROP policies which in turn get replaced with the new
> policies. The DROP policies effectively prevent any unencrypted packets
> from leaving (or entering) the host.
>
> Regards,
> Tobias
>
> [1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=fbedc6a4
> http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d7a59f19
> http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=f1c1965d
>
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list