andreas.steffen at strongswan.org
Fri Jul 29 12:14:17 CEST 2011
release candidate 2 is available which includes Tobias' patches:
On 07/28/2011 05:49 PM, Tobias Brunner wrote:
> Hi Patricia,
> > it seems that some packets leave the tunnel during the handover
> > process.
> I just checked in some changes to fix this problem . These changes
> will be included in the upcoming 4.5.3 release.
> The reason for the behavior you are observing is that charon, when it
> updates an IPsec SA, as caused by MOBIKE, first deletes and then readds
> the policies in the kernel. Within the short timeframe during which no
> matching policy is installed in the kernel unencrypted packets could
> have been transmitted. To avert this the existing policies are now
> replaced with DROP policies which in turn get replaced with the new
> policies. The DROP policies effectively prevent any unencrypted packets
> from leaving (or entering) the host.
>  http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=fbedc6a4
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
More information about the Users