I just pushed code to implement liveness probes using the retransmit timer. When retransmits time-out:
- if the IKE SA hasn't established, it does a 'retry' using ipsecdoi_replace(st, try) - else, presumably the IKE SA is established, and it calls liveness_action(); I suspect this doesn't handle multiple children, and know it won't handle an IKE exchange timing out (there's also add_revival(), but I'm not sure if that applies here? And there's pending ...) So my question is what should happen? - are the established and not established paths really that different (for instance an established IKE SA may have an incomplete CHILD SA) - do established CHILD SAs linger so that the IPsec connection is 'up' (even though evidence suggests it is dead) - and I have to wonder what the difference between replace and pending is
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
