Hi Philip,
1. How can I detect whether a LIST_SA is reporting an active or passive
IKE_SA (Child_SA) connection?
The IKE_SA should have state PASSIVE set on the passive host and state
ESTABLISHED on the active one.
2. Are the Child_SA byte and packet counters always set to zero for a
passive connection?
I guess that depends on the direction and on whether the kernel is
patched (see [1] for details). But they will definitely not be accurate.
Regards,
Tobias
[1]
https://docs.strongswan.org/docs/5.9/features/highAvailability.html#_kernel_implementation
