On Wed, Feb 26, 2020 at 11:41:49PM +0100, Tobias Heider wrote: > Due to the design of the IKEv2 protocol, the receiver does not > know which policy the initiator tries to negotiate an SA for > until the second exchange (IKE_AUTH). The IKE_AUTH request contains > the ID payload which the responder uses to match a policy (and lookup > authentication keys). > Until then, iked will fall back to the default policy and then update > it later. > The cryptographic proposal and key exchange on the other hand are > negotiated in the first exchange (IKE_SA_INIT), when the responder > does not know the initiators ID and thus the actual policy. > > The attached diff adds an additional check to make sure that, when > the policy changes in IKE_AUTH due to the ID belonging to a different > policy, the negotiated SA's proposal is still compatible with the > updated policy. Yes, this makes sense to me.
Diff reads OK, although I'm no iked expert. I've been running with this diff on sparc64 the last few days, all my peers continue to work.
