Hi Stephen,

> Attached is a patch
> (0001-RFC-6311-IKEV2_MESSAGE_ID_SYNC-responder-support.patch) which
> adds minimal RFC 6311 to StrongSwan.

Pretty neat patch.  Thanks a lot.

There were some code style issues and other stuff that was incorrect or
not ideal.  I used parts of it and pushed a bunch of commits to the
mid-sync branch [1].  Would be great if you could test that code.

> There patch does not include support for
> IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED, nor is there any support for
> StrongSwan initiating IKEV2_MESSAGE_ID_SYNC on StrongSwan HA failover.

I guess that's fine for now.  Since in our HA solution only one peer
handles the IKE messages the message IDs could get out of sync.  So
adding support for the HA cluster end of RFC 6311 would probably make
sense in the long run.



Dev mailing list

Reply via email to