[strongSwan] [strongSwan-dev] need for calling TASK_IKE_CONFIG before TASK_CHILD_CREATE in task_manager_v2.c
Martin Willi
martin at strongswan.org
Thu Mar 5 10:25:53 CET 2015
Hi,
> What is the need for activate the TASK_IKE_CONFIG before
> TASK_CHILD_CREATE.
While these tasks get executed during the same exchange(s) with an
IKE_AUTH piggybacked CHILD_SA, the order is still important. If a
virtual IP is negotiated, this must be done beforehand. The CHILD_SA
IPsec policy usually depends/derives from that virtual IP, as the tunnel
usually is negotiated explicitly to the assigned IP.
> Logically ip address assignment should succeed TASK_CHILD_CREATE.
No, that won't work in strongSwan. CHILD_SA setup depends on the virtual
IP to install IPsec policies and associated routing entries.
Regards
Martin
More information about the Users
mailing list