On Fri, 29 Jul 2016, Tuomo Soini wrote:
On Sat, 2 Jul 2016, Paul Wouters wrote:
Clearly we should be consistent independent of IKE version.
It all depends on what the meaning of auto=add with an ipsec auto
--up really means. Is this the same as "auto=start" meaning
"always try to keep this up"? If so, if the other end sends a
delete, shouldn't we immediately establish a new IKE SA, instead
of waiting one minute?
And if the auto=add side sends an ipsec auto --down, does that
mean it will accept a request to immediately go up? That would
also be weird.
So, I'm open for input :)
Which I still am, because I think we should not wait 60s before we
start trying again when we are configured to be "always up".
To work correctly we'd need to know if we had auto=start/route or
"ipsec auto --start". We don't really know that. But I think we should
really use our initiator/responder role to decide our behaviour. If we
are initiator and responder ends sends us delete SA we should start
immediate renegotiation. If we are responder and initiator end sends
delete SA we should just delete state.
Does that sound reasonable? And we need to behave exactly same for both
ikev1 and ikev2.
I think that is the behaviour I would expect, yes. And indeed, currently
the initial add versus add + up state change is not visible, so
currently we cannot make that distinction.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
