Hi Patricia, > it seems that some packets leave the tunnel during the handover > process.
I just checked in some changes to fix this problem [1]. These changes will be included in the upcoming 4.5.3 release. The reason for the behavior you are observing is that charon, when it updates an IPsec SA, as caused by MOBIKE, first deletes and then readds the policies in the kernel. Within the short timeframe during which no matching policy is installed in the kernel unencrypted packets could have been transmitted. To avert this the existing policies are now replaced with DROP policies which in turn get replaced with the new policies. The DROP policies effectively prevent any unencrypted packets from leaving (or entering) the host. Regards, Tobias [1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=fbedc6a4 http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d7a59f19 http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=f1c1965d _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
