[strongSwan-dev] [PATCH 0/5] Recover IKE_SA reset after successful IKE_SA_INIT
Thomas Egerer
thomas.egerer at secunet.com
Sun Jun 6 22:47:56 CEST 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Martin, *,
after one of our test scenarios repeatedly failed we took the time to
investigate the problem.
It was a quite tough nut to crack, but I guess this might be something
that should best be fixed upstream (again I'm using box and xob, where
box is I and xob is R):
box xob
iirq >
\
\
\
\
> iirs
/
/
/
/
<
iarq 0 >
\
\
\
iarq 1 >
\
\
\
iarq 2 >
\
\
\
iarq 3 >
\
\
\
iarq 4 >
\
\
\
iarq 5 >
\
\
\
(reset of IKE_SA on box)
If after this has happened, traffic destined to the aforementioned
IKE_SA is received it's task_manager gets stuck.
This is because the IKE_SA_INIT and NAT_D tasks were already
successfully exchanged and then the IKE_SA is reset to IKE_CREATED.
When the task_manager's initiate function is called and -- even though
there are queued tasks -- none of the tasks is activated.
If however the connection is manually initiated everything works again
since stroke causes charon to add a new IKE_SA_INIT task.
As I've mentioned, it took us a while to figure this out. This was
mainly for two reasons:
a) the checkout/checkin information in ike_sa_manager lack the info
which IKE_SA (including the unique ID) is checked out,
b) there's no way to see the pending/queued or passive tasks in an
IKE_SA (actually there is, but not upstream, yet)
a became a problem when we did not realize that we actually had two
instances of the same IKE_SA (uniqueness policy didn't kick in, since
the IKE_SA that got stuck was still in state IKE_CREATED). So what we
saw was basically an acquire that seemed to vanish when it was queued
into an IKE_SA that we didn't know was there in first place (reading
stroke output on a 80x25 terminal can be a challenge).
And b became a problem when we wanted to see where our 'lost'
CHILD_CREATE job was queued and where not.
So the patches to come include
* the helpful debug output for a),
* an additional printf_hook addressing b),
* some optimization for the use of the newly introduced hook in
stroke_list,
* the actual use of the hook in stroke_list, and last but not least
* my proposal for a solution of the problem mentioned above
Hope to hear from you
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkwMCXwACgkQDXd94wpQmdwHfQCfSII5t64yrJ2P23JudKbZM0Bg
DF4AoInwoaaibDlwU2amIgS5Up4Vv3RN
=UWxo
-----END PGP SIGNATURE-----
More information about the Dev
mailing list