Mark, > I do find that checking that get_message_id(message) == 3 in build_i() > is "just before" my initiator sends an IKE_AUTH level 3 message, which > is what I want.
What's a "level 3" IKE_AUTH message? > But is there any other (better) way of determining where I am in the > IKE_AUTH message exchange? There are many things to consider; IKE_AUTH may use an arbitrary number of exchanges, for example in EAP, but also with RFC 4739 Multiple Authentication. > I don't think message_id 3 equates to IKE_AUTH phase 3. What's IKE_AUTH "phase 3"? Message IDs are incremental in IKEv2, which means the first IKE_AUTH exchange uses message ID 1. But you can't determine what's the message ID of the last IKE_AUTH exchange, as the number of exchanges is variable. > Basically, I'm trying to trigger on when it seems all hurdles have > been cleared in the IKE_AUTH exchange and we're "just about" to conclude > success (specifically, my initiator has received an EAP-challenge has > offered a result and the responder has accepted that (so I'm over all of > those hurdles), ... I then want to trigger something, before getting back > the TSs etc. There is a bunch of hooks in [1] that allows a listener to catch some of these events. If you just want to catch about-to-complete IKE_SAs, use the authorize() hook and act if the "final" flag is set. If you have to mangle traffic selectors, use the narrow() hook. If none of these hooks works, you may use the message() hook and check for specific state. As responder, when sending the last IKE_AUTH response the IKE_SA state is ESTABLISHED; on the initiator you may check for the presence of specific payloads in the message. Regards Martin [1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/bus/listeners/listener.h _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
