Ondrej Moris

I should probably mention that but this is from v5.3 tag + #2447. Also here's the full log form both sides: **Left** ``` Nov 04 14:32:39 pluto[7402]: "out-1": ikev2=yes has...

Consider this update for https://github.com/libreswan/libreswan/blob/57ab0a6cc2a9d88f426c2a560fdf1363b88de462/programs/pluto/ikev2_ts.c#L1653-L1660 ``` if (best.connection != child->sa.st_connection) { vdbg("best connection matching TS is %s "PRI_CO"%s; will replace %s "PRI_CO, best.connection->name, pri_so(best.connection->serialno), (is_from_group(best.connection) ? " from group" :...

I see, looking at the problem from this perspective now... Let's assume we'll do the clean-up (ie. once Child SA switches to best.connection, we'll set SOS_NOBODY to best.connection negotiating_ike_sa and...

> I am wondering if preventing #1068 being superseeded isn't the right was forward? There's an intriguing NOTE in the code that suggest that this was at some point though...

@cagney @ueno, can you take a peek if this is a way to go?

Ah, connection switching... So here's what I think I can do: 1. Simpler approach assuming permanent connections only would be to move the check into `process_v2_IKE_AUTH_request_standard_payloads` since that is the...

Oh, I realized I only have `v2_msgid_request_outstanding(competing_ike)` in the current patch but my intention was to reject only if that outstanding request is IKE_AUTH. Whence `competing_ike->sa.st_state->v2.secured = false`. My intention...

Pushed v2 patch. It seems to be passing my testing but definitely more testing is needed.

The last version covers also connection switch during TS negotiation. I tested behavior without connection switching so far and it looks like it is working unless I missed something (also...

@cagney I added a knob to turn this new behaviour off but I had hard time to find the right name. I call it `allow-competing-ike-auth` and it's a connection option...