[strongSwan] IKE_SA state change question?

Mark Enstone mark at m-87.com
Tue Jun 24 11:59:31 CEST 2014


Excellent, thank you. (by "level 3" or "phase3", I just meant the third of
variable number of IKE_AUTH exchanges)
~Mark

On Tuesday, June 24, 2014, Martin Willi <martin at strongswan.org> wrote:

> Mark,
>
> > I do find that checking that get_message_id(message) == 3 in build_i()
> > is "just before" my initiator sends an IKE_AUTH level 3 message, which
> > is what I want.
>
> What's a "level 3" IKE_AUTH message?
>
> > But is there any other (better) way of determining where I am in the
> > IKE_AUTH message exchange?
>
> There are many things to consider; IKE_AUTH may use an arbitrary number
> of exchanges, for example in EAP, but also with RFC 4739 Multiple
> Authentication.
>
> > I don't think message_id 3 equates to IKE_AUTH phase 3.
>
> What's IKE_AUTH "phase 3"? Message IDs are incremental in IKEv2, which
> means the first IKE_AUTH exchange uses message ID 1. But you can't
> determine what's the message ID of the last IKE_AUTH exchange, as the
> number of exchanges is variable.
>
> > Basically, I'm trying to trigger on when it seems all hurdles have
> > been cleared in the IKE_AUTH exchange and we're "just about" to conclude
> > success (specifically, my initiator has received an EAP-challenge has
> > offered a result and the responder has accepted that (so I'm over all of
> > those hurdles), ... I then want to trigger something, before getting back
> > the TSs etc.
>
> There is a bunch of hooks in [1] that allows a listener to catch some of
> these events. If you just want to catch about-to-complete IKE_SAs, use
> the authorize() hook and act if the "final" flag is set. If you have to
> mangle traffic selectors, use the narrow() hook.
>
> If none of these hooks works, you may use the message() hook and check
> for specific state. As responder, when sending the last IKE_AUTH
> response the IKE_SA state is ESTABLISHED; on the initiator you may check
> for the presence of specific payloads in the message.
>
> Regards
> Martin
>
> [1]
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/bus/listeners/listener.h
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140624/706081ee/attachment.html>


More information about the Users mailing list