On Fri, 25 Jan 2019, Paul Wouters wrote:
Now, the one thing that is wrong is that we should not delete #4 without
sending a notify - we are supposed to send a DELETE notify with
AUTHENTICATION_FAILED payload.
Right, this is a long standing bug.
(as an aside the above should be blaming state #3, and not #4, for all
the auth problems)
Yes, and on top of it, it should just delete state #4. It has no more
chance of ever becoming a valid IPsec SA.
I pushed the change that schedules the immediate deletion of the partial
child state.
But you are right, the whack is not released properly, so the *-mismatch
tests still time out :/
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
