at this point initiator completed the exchange and has working IKE SA.
However, since AggOutI2 is lost, then responder doesn't have IKE SA yet.
Since initiator has ready IKE SA it has no reasons to retransmit AggOutI2.
The only way responder can force initiator to retransmit AggOutI2 is
to retransmit AggrOutR1:
AggrOutI1 --->
<---- AggrOutR1
AggOutI2 ---> X
<---- AggrOutR1
AggOutI2 --->
I see. That is true. Some possible solutions to this:
1) Initiator can always send a DPD probe after 3s to confirm the IKE SA.
Sure.
2) Initiator waits a few seconds and check if the IPsec SA received
incoming traffic as something should have triggered the IKE SA.
If not, either tear down IKE SA or do 1)
No, it'll work differently. To have IPsec SA the initiator must initiate Quick
Mode
right after Phase I is completed. And the Quick Mode will fail since
the responder didn't complete Aggressive Mode exchange.
But these workarounds just solve the "black hole" problem, so they
allow the initiator to detect, that the responder doesn't have an IKE SA.
Sometime it'll become evident for the initiator in any case, even
without DPD etc.
The problem with IKEv1 is that if the responder never retransmits
in Aggressive (and Quick) Mode, then the protocol becomes intolerable
to a single packet loss that makes it very unreliable. And it can't be solved.
Paul
Regards,
Valery.
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
