Hello Patricia, release candidate 2 is available which includes Tobias' patches:
http://download.strongswan.org/strongswan-4.5.3rc2.tar.bz2 Regards Andreas On 07/28/2011 05:49 PM, Tobias Brunner wrote: > Hi Patricia, > > > it seems that some packets leave the tunnel during the handover > > process. > > I just checked in some changes to fix this problem [1]. These changes > will be included in the upcoming 4.5.3 release. > > The reason for the behavior you are observing is that charon, when it > updates an IPsec SA, as caused by MOBIKE, first deletes and then readds > the policies in the kernel. Within the short timeframe during which no > matching policy is installed in the kernel unencrypted packets could > have been transmitted. To avert this the existing policies are now > replaced with DROP policies which in turn get replaced with the new > policies. The DROP policies effectively prevent any unencrypted packets > from leaving (or entering) the host. > > Regards, > Tobias > > [1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=fbedc6a4 > http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d7a59f19 > http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=f1c1965d > ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users