<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>Hello,<br></div><div><br data-mce-bogus="1"></div><div>I'm trying to avoid duplicate IKE SA creation when concurrent SADB_ACQUIRE are received from a FreeBSD kernel:<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>[...]<br data-mce-bogus="1"></div><div>Nov 22 11:27:29 14[KNL] received an SADB_ACQUIRE<br>Nov 22 11:27:29 14[KNL] creating acquire job for policy 192.168.1.1/32 === 192.168.1.2/32 with reqid {2}<br>Nov 22 11:27:29 16[MGR] checkout IKE_SA by config<br>Nov 22 11:27:29 03[JOB] watcher got notification, rebuilding<br>Nov 22 11:27:29 03[JOB] watcher going to poll() 5 fds<br>Nov 22 11:27:29 03[JOB] watched FD 7 ready to read<br>Nov 22 11:27:29 14[KNL] received an SADB_ACQUIRE<br>Nov 22 11:27:29 03[JOB] watcher going to poll() 4 fds<br>Nov 22 11:27:29 16[MGR] created IKE_SA (unnamed)[1]<br>Nov 22 11:27:29 14[KNL] creating acquire job for policy 192.168.1.1/32 === 192.168.1.2/32 with reqid {1}<br>Nov 22 11:27:29 16[MGR] tracking created IKE_SA (unnamed)[1]<br>Nov 22 11:27:29 03[JOB] watcher got notification, rebuilding<br>Nov 22 11:27:29 06[MGR] checkout IKE_SA by config<br></div><div>[...]<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>The IKE SA created by calling checkout_by_config() is not tracked until its checkin later thus leading to the creation of another unamed IKE SA with the same peer and IKE configurations.<br data-mce-bogus="1"></div><div>To circumvent this, I added the created IKE SA as an entry in the IKE SA manager like done (somehow) when calling checkout_by_message().<br data-mce-bogus="1"></div><div>With this, the second SADB_ACQUIRE finds the entry :<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>[...]<br data-mce-bogus="1"></div><div>Nov 22 11:27:29 16[MGR] checkin IKE_SA (ZDI1NjM0NWFkMDUzYWVmZDU3ZDg0OTcyZTZkOTM3ZTEA)(fb8d6ee724d5d9157518502da724119d)[1]<br>Nov 22 11:27:29 16[MGR] checkin of IKE_SA successful<br>Nov 22 11:27:29 06[MGR] found existing IKE_SA 1 with a '(ZDI1NjM0NWFkMDUzYWVmZDU3ZDg0OTcyZTZkOTM3ZTEA)(fb8d6ee724d5d9157518502da724119d)' config<br>Nov 22 11:27:29 06[IKE] <(ZDI1NjM0NWFkMDUzYWVmZDU3ZDg0OTcyZTZkOTM3ZTEA)(fb8d6ee724d5d9157518502da724119d)|1> queueing CHILD_CREATE task<br>Nov 22 11:27:29 06[IKE] <(ZDI1NjM0NWFkMDUzYWVmZDU3ZDg0OTcyZTZkOTM3ZTEA)(fb8d6ee724d5d9157518502da724119d)|1> delaying task initiation, IKE_SA_INIT exchange in progress<br></div><div>[...]<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>avoiding duplicate IKE SA.<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>Is this approach correct ?<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>Regards,<br data-mce-bogus="1"></div><div>Jean-François<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>---<br> src/libcharon/sa/ike_sa_manager.c | 13 +++++++++++++<br> 1 file changed, 13 insertions(+)<br><br>diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c<br>index c50c70860..cb31e8ce1 100644<br>--- a/src/libcharon/sa/ike_sa_manager.c<br>+++ b/src/libcharon/sa/ike_sa_manager.c<br>@@ -1462,6 +1462,19 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,<br> if (!ike_sa)<br> { /* no IKE_SA using such a config, hand out a new */<br> ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);<br>+ if (ike_sa)<br>+ {<br>+ ike_sa_id_t *ike_sa_id = ike_sa->get_id(ike_sa);<br>+ entry = entry_create();<br>+ entry->ike_sa_id = ike_sa_id->clone(ike_sa_id);<br>+ entry->ike_sa = ike_sa;<br>+ entry->checked_out = thread_current();<br>+ segment = put_entry(this, entry);<br>+ unlock_single_segment(this, segment);<br>+<br>+ DBG2(DBG_MGR, "tracking created IKE_SA %s[%u]", ike_sa->get_name(ike_sa),<br>+ ike_sa->get_unique_id(ike_sa));<br>+ }<br> }<br> charon->bus->set_sa(charon->bus, ike_sa);<br> <br>-- <br>2.19.1<br></div><div><br></div></div></body></html>