On Wed, Aug 14, 2019 at 07:15:14PM +0200, Tobias Heider wrote: > Unfortunately as it turns out segfaulting is a common iked reaction to > invalid configurations (at least for invalid transforms), so what you found > is a rather systematic problem (and has been on my list of things to fix for > some time). If that's already on your list, feel free to beat me to it ;-)
> As to why those with [ESP only] trigger this behaviour: > [ESP only] means the transform type can only be used for ESP SAs > (meaning Child SAs), what you're specifying in ikesa is the IKE SA. > Try using AES-256-GCM in the childsa option and it will work as intended. That makes sense, yes. > Maybe we should also change the man page to make this clearer? I agree; writing down an iked.conf(5) initially to match a very specific endpoint, this detail was (easily) missed/skipped.
