New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ikev1: Remove outbound policy of rekeyed CHILD_SA #1041
Conversation
Remove outbound policy of rekeyed CHILD_SA since only one policy is valid. Otherwise, during update-SA job (when NAT mapping changed), CHILD_SA are updated and installed one by one, leaving a window where old SAs are being used. There are also circumstances where the new SA is not processed last.
Thanks. Probably makes sense to remove the old outbound SA. We really only keep a rekeyed CHILD_SA around to process inbound packets in case the other peer decides to continue to use it until it expires.
What does that mean exactly? And what are these circumstances? Also, why are you still using IKEv1? |
We've experienced one-way down session after reauth/rekey and remote IP change. After piping
We want to support connecting by username/password from OS built-in VPN clients, without configuring certificates. |
Interesting. Looks like that's caused by this: strongswan/src/libcharon/processing/jobs/adopt_children_job.c Lines 215 to 219 in 7022fdc
That should be
You mean with PSK? Please don't do that for roadwarrior connections. If the server certificate is issued by a trusted third-party CA (e.g. Let's Encrypt), you won't need to configure/install any certificates on the clients. And even if not, this shouldn't be a reason to continue to use a severely inferior protocol (especially for mobile clients, see e.g. MOBIKE). |
Great.
Yes, PSK. We will consider getting a cert from trusted CA. Thanks! |
Remove outbound policy of rekeyed CHILD_SA since only one policy is
valid. Otherwise, during update-SA job (when NAT mapping changed),
CHILD_SA are updated and installed one by one, leaving a window where
old SAs are being used. There are also circumstances where the new SA is
not processed last.