Annotation of embedaddon/strongswan/testing/tests/ikev2/reauth-mbb-revoked/description.txt, revision 1.1.1.1
1.1 misho 1: This scenario tests <b>make-before-break reauthentication</b> using overlapping
2: IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option. The
3: initiator <b>carol</b> reauthenticates the IKE_SA with host <b>moon</b> using
4: <b>ikelifetime=10s</b>, but does not close the old IKE_SA before the replacement
5: CHILD_SA is in place. A constant ping from <b>carol</b> to client <b>alice</b>
6: hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the
7: whole procedure.
8: <p/>
9: Because the responder is always able to install CHILD_SAs before the initiator
10: is, some traffic sent by the responder over such a CHILD_SA might get dropped by
11: the initiator (until it also installed the CHILD_SA). This is particularly
12: problematic if OCSP/CRL checks are delayed or if they can also be done via the
13: IPsec tunnel once it's established. Therefore, online OCSP/CRL checks are
14: suspended during the reauthentication and done afterwards. This is verified here
15: by revoking the responder's certificate after the SA got initially established.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to description.txt CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / testing / tests / ikev2 / reauth-mbb-revoked