On Wed, 26 Aug 2015, D. Hugh Redelmeier wrote:
| From: Paul Wouters <[email protected]>
| It is not authenticated, but you can remember the payload and once the
| connection has authenticated, you can kill the old one based on having
| received the payload.
No, because a man in the middle could have added the payload. If I
remember correctly.
Note that we do not change behaviour based on setting initial-contact.
We only send it to make remote peers happy.
For us, we rely on uniqueid= and if it is set to yes (the default) then
we will kill the old SA regardless of initial-contact setting. If it is
set to no, we will _not_ kill it regardless of initial-contact setting.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
