From 518dd33c94e041db0444c7d1f33da363bb8e3faf Mon Sep 17 00:00:00 2001
From: Yves-Alexis Perez <corsac@debian.org>
Date: Thu, 24 Mar 2016 11:59:32 +0100
Subject: Imported Upstream version 5.4.0

---
 testing/tests/ikev2/reauth-mbb-revoked/description.txt | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 testing/tests/ikev2/reauth-mbb-revoked/description.txt

(limited to 'testing/tests/ikev2/reauth-mbb-revoked/description.txt')

diff --git a/testing/tests/ikev2/reauth-mbb-revoked/description.txt b/testing/tests/ikev2/reauth-mbb-revoked/description.txt
new file mode 100644
index 000000000..4e27a0b82
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-revoked/description.txt
@@ -0,0 +1,15 @@
+This scenario tests <b>make-before-break reauthentication</b> using overlapping
+IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option. The
+initiator <b>carol</b> reauthenticates the IKE_SA with host <b>moon</b> using
+<b>ikelifetime=10s</b>, but does not close the old IKE_SA before the replacement
+CHILD_SA is in place. A constant ping from <b>carol</b> to client <b>alice</b>
+hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the
+whole procedure.
+<p/>
+Because the responder is always able to install CHILD_SAs before the initiator
+is, some traffic sent by the responder over such a CHILD_SA might get dropped by
+the initiator (until it also installed the CHILD_SA).  This is particularly
+problematic if OCSP/CRL checks are delayed or if they can also be done via the
+IPsec tunnel once it's established.  Therefore, online OCSP/CRL checks are
+suspended during the reauthentication and done afterwards. This is verified here
+by revoking the responder's certificate after the SA got initially established.
-- 
cgit v1.2.3