New commits:
commit eff956c18d79c9284c6f5a0d87899e8f56aef461
Author: Andrew Cagney <[email protected]>
Date: Fri Jan 12 11:52:39 2024 -0500
CHANGES: IKEv2: when non-MOBIKE never update NATed endpoint
[#1492/Wofferl/Andrew]
commit 384c4667bc3760b2307964ffae7c163fe8e67a02
Author: Andrew Cagney <[email protected]>
Date: Fri Jan 12 11:38:10 2024 -0500
ikev2: disable non-MOBIKE NAT endpoint updates
The idea is for an IKE SA that receives an authenticated packet
from it's NATed peer, but with a new address, should update
the peer's address as, presumably, NAT updated things.
The feature was only haf implemented:
- IKE SA's endpoint was updated
- IPsec kernel state/policy endpoints was left unchanged
The result was an IKE SA thinking all was good when no actual traffic could
flow.
see:
IKEv2 liveness does not work with IP change #1492
where @wofferl explains the problem
implement IKEv2's non-MOBIKE NAT port/address updates #1529
_______________________________________________
Swan-commit mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-commit
