On Fri, 18 May 2018, Andrew Cagney wrote:
- I'm beginning to wonder if there's a race between whack
--trafficstatus showing a connection being up and a connection being up?
I have never seen that.
Here's an example:
- whack --trafficstatus shows things up
- but the first of 4 ping packets goes into the weeds
ping -n -c 4 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
-64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms
--- 192.0.2.254 ping statistics ---
-4 packets transmitted, 4 received, 0% packet loss, time XXXX
+4 packets transmitted, 3 received, 25% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
ipsec whack --trafficstatus
-006 #4: "westnet-eastnet-auto", type=ESP, add_time=1234567890,
inBytes=336, outBytes=336, id='@east'
+006 #4: "westnet-eastnet-auto", type=ESP, add_time=1234567890,
inBytes=252, outBytes=252, id='@east'
It does show the first ping got sent before the IPsec SA was installed
properly, but the reporting of trafficstatus is correct. It shows
a little less inBytes/outBytes because one ping didn't go through
IPsec.
Maybe we only disagree about the description of the problem?
I do agree there is a race between installing the IPsec SA
and being able to use it. But I think trafficstatus works
correctly.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
