On Wed, 16 Mar 2016, Valery Smyslov wrote:
[ on not sending retransmits in AggrOutR1 state ]
"rest of exchange" is most important thing here
AggrOutI1 --->
<---- AggrOutR1
AggOutI2 ---> X
at this point initiator completed the exchange and has working IKE SA.
However, since AggOutI2 is lost, then responder doesn't have IKE SA yet.
Since initiator has ready IKE SA it has no reasons to retransmit AggOutI2.
The only way responder can force initiator to retransmit AggOutI2 is
to retransmit AggrOutR1:
AggrOutI1 --->
<---- AggrOutR1
AggOutI2 ---> X
<---- AggrOutR1
AggOutI2 --->
I see. That is true. Some possible solutions to this:
1) Initiator can always send a DPD probe after 3s to confirm the IKE SA.
2) Initiator waits a few seconds and check if the IPsec SA received
incoming traffic as something should have triggered the IKE SA.
If not, either tear down IKE SA or do 1)
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
