[strongSwan] MOBIKE

Andreas Steffen andreas.steffen at strongswan.org
Fri Jul 29 12:14:17 CEST 2011

Hello Patricia,

release candidate 2 is available which includes Tobias' patches:




On 07/28/2011 05:49 PM, Tobias Brunner wrote:
> Hi Patricia,
>  > it seems that some packets leave the tunnel during the handover
>  > process.
> I just checked in some changes to fix this problem [1].  These changes 
> will be included in the upcoming 4.5.3 release.
> The reason for the behavior you are observing is that charon, when it 
> updates an IPsec SA, as caused by MOBIKE, first deletes and then readds 
> the policies in the kernel.  Within the short timeframe during which no 
> matching policy is installed in the kernel unencrypted packets could 
> have been transmitted.  To avert this the existing policies are now 
> replaced with DROP policies which in turn get replaced with the new 
> policies.  The DROP policies effectively prevent any unencrypted packets 
> from leaving (or entering) the host.
> Regards,
> Tobias
> [1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=fbedc6a4
>      http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d7a59f19
>      http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=f1c1965d

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list