[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-announce
Subject: Re: [strongSwan-dev] need for calling TASK_IKE_CONFIG before TASK_CHILD_CREATE in task_manager_v2.c
From: Ravi Kanth Vanapalli <vvnrk.vanapalli () gmail ! com>
Date: 2015-03-06 22:46:01
Message-ID: CALyk9ews7WhcY8kYSAp_r0kPw5k4M2X_WZLUPOdtU2S7PM8XUQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Dear Martin,
In case of Strongswan Android Market App, the IP address assignment, MTU
setting to the ipsec0 interface is handled Android framework VPN JNI
module.This will be after the IKE_SA and Child_SA is setup.
Could you please give more details, how the configuration setup happens
in the Strongswan Android market app is different ?
Regards,
Ravikanth
On Thu, Mar 5, 2015 at 8:54 AM, Martin Willi <martin@strongswan.org> wrote:
>
> > My understanding was ip address assignment to interface can happen
> > later after child SA is negotiated with tunnel end point using the
> > virtual ip stored in the Strongswan internal data structures.
>
> No, this won't work. Negotiating the CHILD_SA installs IPsec SAs and
> policies to the kernel, along with a source route to actually make use
> of these policies. If the virtual IP is not installed to the kernel,
> installing the source route is not possible.
>
> Not sure what you want to achieve by deferring virtual IP installation,
> but that won't work with the way strongSwan handles CHILD_SA setup.
>
> Regards
> Martin
>
>
[Attachment #5 (text/html)]
<div dir="ltr">Dear Martin,<div> In case of Strongswan Android Market App, the IP \
address assignment, MTU setting to the ipsec0 interface is handled Android framework \
VPN JNI module.This will be after the IKE_SA and Child_SA is setup.</div><div> \
Could you please give more details, how the configuration setup happens in the \
Strongswan Android market app is different \
?</div><div><br></div><div>Regards,</div><div>Ravikanth</div><div \
class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 5, 2015 at 8:54 AM, \
Martin Willi <span dir="ltr"><<a href="mailto:martin@strongswan.org" \
target="_blank">martin@strongswan.org</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span class=""><br> > My understanding was ip address \
assignment to interface can happen<br> > later after child SA is negotiated with \
tunnel end point using the<br> > virtual ip stored in the Strongswan internal data \
structures.<br> <br>
</span>No, this won't work. Negotiating the CHILD_SA installs IPsec SAs and<br>
policies to the kernel, along with a source route to actually make use<br>
of these policies. If the virtual IP is not installed to the kernel,<br>
installing the source route is not possible.<br>
<br>
Not sure what you want to achieve by deferring virtual IP installation,<br>
but that won't work with the way strongSwan handles CHILD_SA setup.<br>
<br>
Regards<br>
<span class="HOEnZb"><font color="#888888">Martin<br>
<br>
</font></span></blockquote></div><div class="gmail_signature"><div \
dir="ltr"><br></div></div> </div></div>
_______________________________________________
Dev mailing list
Dev@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic