On Thu, 17 Mar 2016, Valery Smyslov wrote:
I see. That is true. Some possible solutions to this:
1) Initiator can always send a DPD probe after 3s to confirm the IKE SA.
Sure.
2) Initiator waits a few seconds and check if the IPsec SA received
incoming traffic as something should have triggered the IKE SA.
If not, either tear down IKE SA or do 1)
No, it'll work differently. To have IPsec SA the initiator must initiate
Quick Mode
right after Phase I is completed. And the Quick Mode will fail since
the responder didn't complete Aggressive Mode exchange.
Ah right. this isnt ikev2. So quick mode will fail, and the initiator
should abort the IKE SA and retry. Currently we probably assume the
IKE SA succeeded. We also no longer have a copy of the AggrOutI2 packet
because we replaced it with the QuickOutI1 packet.
The problem with IKEv1 is that if the responder never retransmits
in Aggressive (and Quick) Mode, then the protocol becomes intolerable
to a single packet loss that makes it very unreliable. And it can't be
solved.
Yes, but we are only interested in suppressing the retransmit of that
first packet. After that the initiator has proven it is not a spoofed
victim IP.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
