On Wed, 16 Sep 2020, Antony Antony wrote:
I had a quic look. IKEv1 need extra message (3 round trips) as opposed to IKEv2(2 round trips). And initiator is installing policies in different order.
Yes, I mentioned this in the team email two days ago. That is indeed the source of the problem.
the test outputs as it is now are confusing because it seems a copy of IKEv2 outputs. May be create tests with eastnet-westnet, delete IKEv2 output and updated with broken IKEv1 outout. That would make analysing it quicker.
I created copies of the IKEv2 tests for IKEv1. So whatever is tested for IKEv2 is tested for IKEv1. I can surely add a test case if it is missing for a subnet to subnet test for both IKEv1 and IKEv2 if that is missing.
A better fix would be adding IKE pass policies, aka IKE holes, as XFRM policies. I suspect there are also ways add routing policie instead of XFRM polices, that is possibly what Android is doing.
Creating XFRM holes is dangerous. There might be overlapping machines/connections (eg extrusion on the far side related issues) Can you say a bit more about adding routing policies? It seems that fix seems a better fit, as the problem right now is caused by routing to the interfaces?
One thing that would help to add IKE policies is use of struct kernel_sa netlink_raw_eroute() same as netlink_add_sa(). Now that KLIPS is gone we make this change. Keeping the shunt code as it is.
What is wrong with the current method for IKE holes? I don't fully understand what you are saying here. Could you elaborate a bit more? Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
