Greetings,
Just plowed through RFC 4555 and 4621 for guidance. The spec says put the
currently used address in the IP header
and the rest as additional addresses. Thus excluding "me" in the
additional_addresses list is correct.
But there is this sentence in rfc4621, section 6.4:
"To support NAT-T, the IP addresses of the received packet are considered as
one address of the peer, even when they are not present in the list."
Seems MOBIKE message processing needs to store the message's source IP addr
along with the other ADDITIONAL_IPV4_ADDRESS. Use ike_sa to "remember" this
address separately is not safe. It requires
code to add it in the additional_addresses list before it is overwritten by
N(UPDATE_SA_ADDRESSES).
Regards,
Simon
________________________________
To verify this theory, we made the following change in ike_mobike.c:
------------------------------------------------------------
if (first)
{ /* an
ADDITIONAL_*_ADDRESS means replace, so flush once */
this->ike_sa->remove_additional_addresses(this->ike_sa);
first = FALSE;
// Added code to seed the IP address in SA in the additional_address list
host = this->ike_sa->get_other_host(this->ike_sa);
host = host->clone(host);
this->ike_sa->add_additional_address(this->ike_sa, host);
}
------------------------------------------------------------
After applying this change to a road warrior, it can switch back and forth
between the 2 interfaces.
Questions:
1. Is there reason why the peer IP address in the Security Association not
stored in the additional_address list?
2. Can anyone see potential problems with the code change above?
Not sure if there may be situations when ike_sa->get_other_host() may not
return the correct gateway address.
The change tested OK in our lab though.
3. Another possibility
is to change the gateway side to include "me" in the Mobike additional
addresses.
It is easier to upgrade one host than upgrading a fleet of 800 trucks. Similar
to Question 1, is there
reason that "me" must be excluded from the Mobike additional addresses?
Thanks in advance for help.
Simon _______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
