| Commit message (Collapse) | Author | Age | Files | Lines | |
|---|---|---|---|---|---|
| * | child-rekey: Don't install outbound SA in case of lost collisions | Tobias Brunner | 2017-08-07 | 1 | -25/+57 |
| | | | | | | | | This splits the SA installation also on the initiator, so we can avoid installing the outbound SA if we lost a rekey collision, which might have caused traffic loss depending on the timing of the DELETEs that are sent in both directions. | ||||
| * | unit-tests: Check installed IPsec SAs in child-rekey tests | Tobias Brunner | 2017-05-23 | 1 | -3/+94 |
| | | |||||
| * | child-delete: Delay the removal of the inbound SA of rekeyed CHILD_SAs | Tobias Brunner | 2017-05-23 | 1 | -122/+362 |
| | | | | | | | | | After deleting a rekeyed CHILD_SA we uninstall the outbound SA but don't destroy the CHILD_SA (and the inbound SA) immediately. We delay it a few seconds or until the SA expires to allow delayed packets to get processed. The CHILD_SA remains in state CHILD_DELETING until it finally gets destroyed. | ||||
| * | child-sa: Remove state to track installation of half the SA again | Tobias Brunner | 2017-05-23 | 1 | -45/+45 |
| | | |||||
| * | ikev2: Delay installation of outbound SAs during rekeying on the responder | Tobias Brunner | 2017-05-23 | 1 | -20/+32 |
| | | | | | | | | | The responder has all the information needed to install both SAs before the initiator does. So if the responder immediately installs the outbound SA it might send packets using the new SA which the initiator is not yet able to process. This can be avoided by delaying the installation of the outbound SA until the replaced SA is deleted. | ||||
| * | unit-tests: Add tests for expires after CHILD_SA rekeying | Tobias Brunner | 2016-06-17 | 1 | -0/+129 |
| | | |||||
| * | unit-tests: Add test for CHILD_SA rekey if a retry due to an ↵ | Tobias Brunner | 2016-06-17 | 1 | -0/+143 |
| | | | | | INVALID_KE_PAYLOAD is delayed | ||||
| * | unit-tests: Add tests for IKE/CHILD rekey collisions | Tobias Brunner | 2016-06-17 | 1 | -0/+170 |
| | | |||||
| * | unit-tests: Add tests where a peer is not aware of a CHILD_SA rekey collision | Tobias Brunner | 2016-06-17 | 1 | -1/+354 |
| | | |||||
| * | unit-tests: Test for rekeying if INVALID_KE_PAYLOAD notifies are received | Tobias Brunner | 2016-06-17 | 1 | -0/+253 |
| | | |||||
| * | unit-tests: Make IKE and ESP proposals configurable | Tobias Brunner | 2016-06-17 | 1 | -9/+9 |
| | | |||||
| * | unit-tests: Add tests for CHILD_SA rekeying/deletion collisions | Tobias Brunner | 2016-06-17 | 1 | -1/+288 |
| | | |||||
| * | ikev2: Use CHILD_REKEYED for replaced CHILD_SAs after rekeying | Tobias Brunner | 2016-06-17 | 1 | -6/+5 |
| | | | | | This allows handling collisions better, in particular with deletions. | ||||
| * | unit-tests: Add unit tests for basic CHILD_SA rekeying | Tobias Brunner | 2016-06-17 | 1 | -0/+235 |
 |
index : tteras/strongswan | |
| tteras' strongSwan tree | gitolite |
| aboutsummaryrefslogtreecommitdiffstats |