Hi Martin, 1. I was going through the update SA code, I figured out that the replay data for an SA is fetched separately from the other SA data, however, while adding the updated SA replay value is sent with other entries. What is the reason for this discrepancy.
2. We did not find the query_sa function called from any place in the code, is this function redundtant. 3. Once IKE stack detects that it is behinf NAT, does it still accept packets at port 500. It would be very helpful if you could answer these queries Thanks in advance, Vivek On 7/7/09, Martin Willi <mar...@strongswan.org> wrote: > Hi, > >> 1. Is it the only mechanism through which the CHILD_SAs can be created >> ( i.e through the acquire function, trigger coming from the kernel >> based on policies installed ) >> >> 2. The function also mentioned that the IKE_SA creation can also be >> triggered through the acquire function sometimes. What are the >> scenarios under which the IKE_SA creation can be triggered from the >> kernel? > > There are two ways to create a CHILD_SA (and an IKE_SA if none exists > with that peer): > > - Using explicit initiation: Issuing "ipsec up" or adding the auto=start > keyword to a ipsec.conf connection initiates a connection using the > given configuration. The tunnel gets established and SPD and SAD > entries are added to the kernel. > > - Installing a triggering policy: Issuing "ipsec route" or adding the > auto=route keyword to ipsec.conf connection installs the policy (SPD) > in the kernel. No tunnel is negotiated. As soon as the kernel > processes traffic matching the policy, it sends an acquire() to the > daemon. The daemon negotiates IKE- and CHILD_SAs and adds SAD entries > to the kernel. > > Regards > Martin > > _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
