If a CHILD_SA is terminated, the updown event is triggered after the
CHILD_SA is set to state CHILD_DELETED, so no usage stats or detail
information like SPIs were reported. However, when an IKEv2 SA is
terminated, the updown event for its children is triggered without
changing the state first, that is, they usually remain in state
INSTALLED and detailed data was reported in the event. IKEv1
CHILD_SAs are always terminated individually, i.e. with state
change and no extra data so far.
With this change usage stats are also returned for individually deleted
CHILD_SAs as long as the SA has not yet expired.
Fixes#3198.
The unique names were introduced for the list-sas command in commit
04c0219e55. However, the child-updown
event wasn't updated to match. Even though the documentation suggests
that the section name of the CHILD_SAs are the same in both messages.
The original name is already being returned in the "name" attribute,
so it'll still be available.
Example:
>>> import vici, json
>>> s = vici.Session()
# First, for comparison, the list-sas command:
>>> print(json.dumps(list(s.list_sas()), sort_keys=True, indent=4, separators=(',', ': ')))
[
{
"vti0": {
"child-sas": {
"vti0-1": {
...
# A child-updown event before the change:
>>> for x in s.listen(["child-updown"]): print(json.dumps(x, sort_keys=True, indent=4, separators=(',', ': ')))
[
"child-updown",
{
"vti0": {
"child-sas": {
"vti0": { # <-- wrong: inconsistent with list-sas
...
# A child-updown event after the change:
>>> s = vici.Session()
>>> for x in s.listen(["child-updown"]): print(json.dumps(x, sort_keys=True, indent=4, separators=(',', ': ')))
[
"child-updown",
{
"vti0": {
"child-sas": {
"vti0-1": { # <-- fixed
Closesstrongswan/strongswan#153.
Although being already logged on level 2, these messages are usually just
confusing if they pop up randomly in the log when e.g. querying the configs
or installing traps. So after this the log messages will only be logged when
actually proposing or selecting traffic selectors during IKE.
The original name is returned in the new "name" attribute.
This fixes an issue with bindings that map VICI messages to
dictionaries. For instance, in roadwarrior scenarios where every
CHILD_SA has the same name only the information of the last CHILD_SA
would end up in the dictionary for that name.
The `nat-local` and `nat-remote` keys contain information on the NAT
status of the local and remote IKE endpoints, respectively. If a
responder did not detect a NAT but is configured to fake a NAT situation
this is indicated by `nat-fake` (if an initiator fakes a NAT situation
`nat-local` is set). If any NAT is detected or faked `nat-any` is set.
Closesstrongswan/strongswan#16.
This is needed to handle DELETEs properly, which was previously done via
CHILD_REKEYING, which we don't use anymore since 5c6a62ceb6 as it prevents
reauthentication.
To simplify handling of authentication rounds in dictionaries/hashtables on the
client side, we assign unique names to each authentication round when listing
connection.
Tobias Brunner