Install selectors on transport mode IPsec SAs.
This fixes several test cases in IKEv2_Self_Test (part of the IPv6 Ready
Logo Program) which is required for USGv6 certification, namely:
- IKEv2.EN.I.1.1.7.1, IKEv2.EN.I.1.1.7.1: Narrowing the range of members
of the set of traffic selectors
- IKEv2.EN.R.1.1.7.3: Narrowing multiple traffic selector
When traffic selectors of a triggered SA are narrowed by the responder, the
installed policy and the broader trap policy share the same reqid. Without
selectors on the IPsec SA packets matching the trap policy, but not the
narrowed policy, would incorrectly be handled by that IPsec SA. Since only
one selector can be specified per IPsec SA, there is currently no solution
for tunnel mode SAs.
projects / strongswan.git / commit