On 20 March 2018 at 12:39, Paul Wouters <[email protected]> wrote: > On Tue, 20 Mar 2018, Andrew Cagney wrote: > >> Here, the responder accepted the AUTH request but rejected the >> attached CHILD SA request (hopefully it still replied with its own >> AUTH credentials, I'm not sure, but if we're deleting the IKE SA it >> isn't critical). > > > It should keep the IKE SA and return NO_PROPOSAL_CHOSEN ?
Yes, it should. Pluto as the responder gets it half right. It: - keeps the IKE SA around - sends back NO_PROPOSAL_CHOSEN but (more digging, ikev2-algo-sha2-05): - it doesn't send back its own credentials (they get written to the output PBS, but then that gets reset before sending the failure) Pluto as the initiator currently gives up. (in the past it would ignore the response completely). > And delete any child sa state if it had already created it (but prob > not) > > Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
