[strongSwan] IKE_SA state change question?

Martin Willi martin at strongswan.org
Tue Jun 24 09:54:03 CEST 2014


> I do find that checking that get_message_id(message) == 3 in build_i()
> is "just before" my initiator sends an IKE_AUTH level 3 message, which
> is what I want.

What's a "level 3" IKE_AUTH message?

> But is there any other (better) way of determining where I am in the
> IKE_AUTH message exchange?

There are many things to consider; IKE_AUTH may use an arbitrary number
of exchanges, for example in EAP, but also with RFC 4739 Multiple

> I don't think message_id 3 equates to IKE_AUTH phase 3.

What's IKE_AUTH "phase 3"? Message IDs are incremental in IKEv2, which
means the first IKE_AUTH exchange uses message ID 1. But you can't
determine what's the message ID of the last IKE_AUTH exchange, as the
number of exchanges is variable.

> Basically, I'm trying to trigger on when it seems all hurdles have
> been cleared in the IKE_AUTH exchange and we're "just about" to conclude
> success (specifically, my initiator has received an EAP-challenge has
> offered a result and the responder has accepted that (so I'm over all of
> those hurdles), ... I then want to trigger something, before getting back
> the TSs etc.

There is a bunch of hooks in [1] that allows a listener to catch some of
these events. If you just want to catch about-to-complete IKE_SAs, use
the authorize() hook and act if the "final" flag is set. If you have to
mangle traffic selectors, use the narrow() hook.

If none of these hooks works, you may use the message() hook and check
for specific state. As responder, when sending the last IKE_AUTH
response the IKE_SA state is ESTABLISHED; on the initiator you may check
for the presence of specific payloads in the message.



More information about the Users mailing list