On Wed, Dec 22, 2010 at 09:22:27AM -0700, Mike Belopuhov wrote: > CVSROOT: /cvs > Module name: src > Changes by: mi...@cvs.openbsd.org 2010/12/22 09:22:27 > > Modified files: > sbin/iked : config.c iked.conf.5 iked.h ikev2.c ikev2_msg.c > ikev2_pld.c parse.y pfkey.c policy.c types.h > > Log message: > child sa rekeying revamp plus numerous bugfixes; > with suggestions and OK from reyk >
This is a short commit message for a big and important diff from Mike. It actually implements proper rekeying in all directions (responder and initiator), fixes additional Child SA handling, some generic IKEv2 message handling, ... iked will also listen for PFKEYv2 messages from the kernel now that will indicate that an in-kernel Child SA has been expired, by lifetime or byte limit, and needs to be rekeyed. See the iked.conf(5) manpage for the new per-policy "lifetime" config directive. reyk
