Hi, > 1. I was going through the update SA code, I figured out that the > replay data for an SA is fetched separately from the other SA data, > however, while adding the updated SA replay value is sent with other > entries. What is the reason for this discrepancy.
That's due to a limitation of the XFRM API the kernel provides. Unfortunately, the sequence numbers are not included in the response to a XFRM_MSG_GETSA request. These are therefore fetched using a separate XFRM_MSG_GETAE request. On the other hand, the kernel accepts the sequence numbers as part of an XFRM_MSG_NEWSA or XFRM_MSG_UPDSA request. > 2. We did not find the query_sa function called from any place in the > code, is this function redundtant. It is and it was removed in 4.2.9. > 3. Once IKE stack detects that it is behinf NAT, does it still accept > packets at port 500. Yes. Regards, Tobias _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
