I've seen it only once. Normally what happens is: - the state machine assigns the IKE_AUTH request's Message ID to the IKE SA - the CHILD SA is created - the IKE AUTH Message ID is switched to the child - MD.ST is switched to the child - a message is recorded - the STF_OK (and STF_FAIL) sends the message; and at the same time checks all is consistent
However, here what happens is some variation on: - the state machine assigns the IKE_AUTH request's Message ID to the IKE SA - the CHILD SA is created - the IKE AUTH Message ID is switched to the child - something goes wrong and the OE code records AUTHENTICATION_FAILED and returns STF_FAIL since MD.ST and the Message ID aren't consistent, there's a pexpect() (a variation is switch both the Message ID and MD.ST, only for the error code to switch back MD.ST and delete the child ....) The "fix" is to pair up the MD.ST and Message ID switching code - more shuffling .... (however, all this shuffling seems wrong)
_______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev