[people/ms/strongswan.git] / doc / src / initiatorstate.txt


                       |
	               | PF_ACQUIRE
		       |     
                       V
                .---------------.       
                |  non-existant |
                |  connection   |
                `---------------'
                 |      |      |
          send   ,      |      \
expired   pass  /       |       \ send
conn.     msg  /        |        \ deny
  ^           /         |         \ msg
  |          V          | do       \ 		 
.---------------.       | DNS       \   .---------------.  
|  clear-text   |	| lookup     `->|     deny      |---> expired
|  connection   |	| for 	        |  connection   |     connection
`---------------'	| destination   `---------------'
   ^ ^                  |                   ^
   | | no record        |                   |
   | | OE-permissive    V                   | no record
   | |            .---------------.         | OE-paranoid
   | `------------|  potential OE |---------'
   |              |  connection   |         ^
   |              `---------------'         |
   |                    |                   |
   |                    | got TXT record    | DNSSEC failure
   |                    | reply             |
   |                    V                   | wrong 
   |              .---------------.         | failure
   |              |  authenticate |---------'
   |              | & parse TXT RR|         ^
   | repeated     `---------------'         |
   | ICMP               |                   |
   | failures           | initiate IKE to   |                         
   | (short-timeout)    | responder         |                         
   |                    V                   |                          
   | phase-2      .---------------.         | failure                       
   | failure      |   pending     |---------'                          
   | (normal      |     OE        |         ^                          
   |  timeout)    |               |invalid  | phase-2 failure (short-timeout)
   |              |               |<--.SPI  | ICMP failures (normal timeout)
   |              |               |   |     |                          
   |              | +=======+     |---'     |                          
   |              | |  IKE  |     |   ^     |                          
   `--------------| | states|---------------'                          
                  | +=======+     |   |                                
                  `---------------'   |                                
                        |             | invalid SPI                    
                        |             |                                
	                V             | rekey time                     
                  .--------------.    |                                
                  |   keyed      |<---|-------------------------------.
                  |  connection  |----'                               |
                  `--------------'                                    |
                        |                                             |
                        |                                             |
                        V                                             |
                  .--------------.     connection still active        |
  clear-text----->|   expired    |------------------------------------'
        deny----->|  connection  |
                  `--------------'


$Id: initiatorstate.txt,v 1.1 2004/03/15 20:35:24 as Exp $
Commit	Line	Data
997358a6 MW	1
	2	\|
	3	\| PF_ACQUIRE
	4	\|
	5	V
	6	.---------------.
	7	\| non-existant \|
	8	\| connection \|
	9	`---------------'
	10	\| \| \|
	11	send , \| \
	12	expired pass / \| \ send
	13	conn. msg / \| \ deny
	14	^ / \| \ msg
	15	\| V \| do \
	16	.---------------. \| DNS \ .---------------.
	17	\| clear-text \| \| lookup `->\| deny \|---> expired
	18	\| connection \| \| for \| connection \| connection
	19	`---------------' \| destination `---------------'
	20	^ ^ \| ^
	21	\| \| no record \| \|
	22	\| \| OE-permissive V \| no record
	23	\| \| .---------------. \| OE-paranoid
	24	\| `------------\| potential OE \|---------'
	25	\| \| connection \| ^
	26	\| `---------------' \|
	27	\| \| \|
	28	\| \| got TXT record \| DNSSEC failure
	29	\| \| reply \|
	30	\| V \| wrong
	31	\| .---------------. \| failure
	32	\| \| authenticate \|---------'
	33	\| \| & parse TXT RR\| ^
	34	\| repeated `---------------' \|
	35	\| ICMP \| \|
	36	\| failures \| initiate IKE to \|
	37	\| (short-timeout) \| responder \|
	38	\| V \|
	39	\| phase-2 .---------------. \| failure
	40	\| failure \| pending \|---------'
	41	\| (normal \| OE \| ^
	42	\| timeout) \| \|invalid \| phase-2 failure (short-timeout)
	43	\| \| \|<--.SPI \| ICMP failures (normal timeout)
	44	\| \| \| \| \|
	45	\| \| +=======+ \|---' \|
	46	\| \| \| IKE \| \| ^ \|
	47	`--------------\| \| states\|---------------'
	48	\| +=======+ \| \|
	49	`---------------' \|
	50	\| \| invalid SPI
	51	\| \|
	52	V \| rekey time
	53	.--------------. \|
	54	\| keyed \|<---\|-------------------------------.
	55	\| connection \|----' \|
	56	`--------------' \|
	57	\| \|
	58	\| \|
	59	V \|
	60	.--------------. connection still active \|
	61	clear-text----->\| expired \|------------------------------------'
	62	deny----->\| connection \|
	63	`--------------'
	64
65
66	$Id: initiatorstate.txt,v 1.1 2004/03/15 20:35:24 as Exp $