On Mon, 4 Jul 2016 12:57:26 -0400 (EDT) Paul Wouters <[email protected]> wrote:
> On Sat, 2 Jul 2016, Paul Wouters wrote: > > >> Clearly we should be consistent independent of IKE version. > >> > >> It all depends on what the meaning of auto=add with an ipsec auto > >> --up really means. Is this the same as "auto=start" meaning > >> "always try to keep this up"? If so, if the other end sends a > >> delete, shouldn't we immediately establish a new IKE SA, instead > >> of waiting one minute? > >> > >> And if the auto=add side sends an ipsec auto --down, does that > >> mean it will accept a request to immediately go up? That would > >> also be weird. > >> > >> > >> So, I'm open for input :) > > Which I still am, because I think we should not wait 60s before we > start trying again when we are configured to be "always up". To work correctly we'd need to know if we had auto=start/route or "ipsec auto --start". We don't really know that. But I think we should really use our initiator/responder role to decide our behaviour. If we are initiator and responder ends sends us delete SA we should start immediate renegotiation. If we are responder and initiator end sends delete SA we should just delete state. Does that sound reasonable? And we need to behave exactly same for both ikev1 and ikev2. -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
