On Mon, 8 Dec 2014, Matt Rogers wrote:
can you commit test as a wip? I am curious to see what is going on. I need the
same for IKEv2 and CREATE_CHILD_SA.
Take a look at the conn_shared_ike branch that I pushed, it has a test and
I pushed the test case (not the code) into master.
continuation of the patch. I was focusing on the IKEv1 side of this so there
may be some implications for IKEv2 that I was not aware of, so it will need some
more review and testing.
Have you tried A and B with different authby or with xauth? say one with rsa
and the other psk?
This kind of setup doesn't seem to work initially, with IKEv1 at least. The
reason being
that on the responder, the last connection added to the host pair will end up
answering the initiation, so if that is TUNNEL-C, it will accept the one auth
method
that TUNNEL-C is configured for.
This is similar to the connection switching bug triggered by:
conn base
left=1.2.3.4
right=5.6.7.8
authby=secret
conn port555
also=base
leftprotoport=tcp/555
rightprotoport=tcp/555
esp=aes128-sha1
conn otherports
also=base
esp=aes256-sha1
This will also share the IKE SA, but then run into problems. I added
ikev1-connswitch-ports-01 as a test case for this (using netkey)
A simiar test with ike= is even more confusing, because sharing the IKE
means contradicting the configuration, but I'm willing to write that
down as "operator error".
Paul
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev
