Adding to the list of functions that revive ... On Mon, 27 Apr 2020 at 12:06, Andrew Cagney <[email protected]> wrote:
> I just pushed code to implement liveness probes using the retransmit > timer. When retransmits time-out: > > - if the IKE SA hasn't established, it does a 'retry' using > ipsecdoi_replace(st, try) > > - else, presumably the IKE SA is established, and it calls > liveness_action(); I suspect this doesn't handle multiple children, and > know it won't handle an IKE exchange timing out > > (there's also add_revival(), but I'm not sure if that applies here? And > there's pending ...) > > So my question is what should happen? > > - are the established and not established paths really that different (for > instance an established IKE SA may have an incomplete CHILD SA) > > - do established CHILD SAs linger so that the IPsec connection is 'up' > (even though evidence suggests it is dead) > > - and I have to wonder what the difference between replace and pending is > - a rekey (the obvious next candidate for doing proper retransmits) calls v2_event_sa_replace()
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
