[strongSwan] Configuration Payload for IP Address Assignment Error Cases
martin at strongswan.org
Tue Jun 26 18:04:08 CEST 2012
> 2. the SeGW replies with an INTERNAL_ADDRESS_FAILURE notification
This is how a responder should behave if it doesn't hand out internal
addresses. As a client, strongSwan does not create an associated
CHILD_SA, because the gateway usually does not include the SA/TS
payloads with this error.
By default, strongSwan keeps the IKE_SA up, unless the strongswan.conf
option charon.close_ike_on_child_failure is set to yes.
> 1. the SeGW replies with an configuration payload reply containing and
> "empty" address (length = 0)
strongSwan interprets this as a 0.0.0.0 address, but still tries to
install it. This seems to be rather problematic with our netlink kernel
interface. The kernel seems to ACK the installation, but does never
confirm it by sending a notification. As we have to wait for this
confirmation to go on with the CHILD_SA installation, the thread hangs.
I've pushed a patch  that improves the situation by just ignoring the
virtual IP, changing the behavior to the description below.
> 3. the SeGW does not generates a configuration payload reply nor a
> failure notification (e.g., it does not provide any support for
> configuration payload)
It depends on how the responder narrows the Traffic Selector for the
client. If it gets narrowed to the physical IP (or something that
contains it), the CHILD_SA will get established using this IP for the
local IPsec policy.
More information about the Users