[strongSwan-dev] [PATCH 0/2] Add reference counting to child_sa

Martin Willi martin at strongswan.org
Tue May 18 12:34:22 CEST 2010 

> Our send/receive_delay testing hooks are insufficient to simulate this,
> I'll have to add some conditional packet delays to reproduce it.

I have added a simple conditional packet delay mechanism, it allows us
to delay some specific packets and reproduce this issue.

> I'll try to reproduce this condition

I configured box with:
  strongswan.conf:
    send_delay = 1000
    receive_delay = 5000
    receive_delay_type = 36
    receive_delay_request = no
  ipsec.conf:
    lifetime=30s
    margintime=11s
    rekeyfuzz=0%

For xob, I used:
  strongswan.conf:
    send_delay = 1000
  ipsec.conf:
    lifetime=30s
    margintime=10s
    rekeyfuzz=0%

This will trigger a simultaneous rekey in ~20s, but will delay the
problematic CREATE_CHILD_SA response a little more. With this
configuration, I could reproduce the problem.

> I think it should be possible to catch this in the collide() check.

I additionally checked in a patch that fixes the problem for this
configuration for both cases, if xob wins the nonce compare, but also if
it loses.

Patches attached, please verify.

Best regards
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Added-simple-conditional-packet-send-delay.patch
Type: text/x-patch
Size: 2323 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20100518/b00cf42e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Added-simple-conditional-packet-receive-delay.patch
Type: text/x-patch
Size: 2857 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20100518/b00cf42e/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Handle-collisions-between-rekey-and-the-following-de.patch
Type: text/x-patch
Size: 3964 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20100518/b00cf42e/attachment-0002.bin>

More information about the Dev mailing list