Dear Martin,
When the tunnel end point assigns us a virtual ip..Can't we use this
virtual IP and proceed with child SA setup??
Why should IP address assignment to interface happen first and then child SA
setup proceed..? for child SA to be setup Strongswan internal data structures
already have the virtual IP.
My understanding was ip address assignment to interface can happen later after
child SA is negotiated with tunnel end point using the virtual ip stored in the
Strongswan internal data structures.
Please let me know your thoughts on this approach.
Thanks,
Ravikanth
> On Mar 5, 2015, at 4:25 AM, Martin Willi <[email protected]> wrote:
>
> Hi,
>
>> What is the need for activate the TASK_IKE_CONFIG before
>> TASK_CHILD_CREATE.
>
> While these tasks get executed during the same exchange(s) with an
> IKE_AUTH piggybacked CHILD_SA, the order is still important. If a
> virtual IP is negotiated, this must be done beforehand. The CHILD_SA
> IPsec policy usually depends/derives from that virtual IP, as the tunnel
> usually is negotiated explicitly to the assigned IP.
>
>> Logically ip address assignment should succeed TASK_CHILD_CREATE.
>
> No, that won't work in strongSwan. CHILD_SA setup depends on the virtual
> IP to install IPsec policies and associated routing entries.
>
> Regards
> Martin
>
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
