[strongSwan-dev] kernel SPD/SAD tool

Goshen, Ido (Ido) igoshen at avaya.com
Wed Jun 1 09:37:08 CEST 2011 

Finally I went in other direction. 
Instead of cleanup I just ignore the case the policy already exists.

Something like that:

diff --git
a/strongswan-4.5.1/src/libhydra/plugins/kernel_netlink/kernel_netlink_ip
sec.c b/strongswan-4.5.1/src/libhydra/plugins/kernel_netlink/kernel_netl
index 4dc8078..c7870c4 100644
---
a/strongswan-4.5.1/src/libhydra/plugins/kernel_netlink/kernel_netlink_ip
sec.c
+++
b/strongswan-4.5.1/src/libhydra/plugins/kernel_netlink/kernel_netlink_ip
sec.c
@@ -1647,6 +1647,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
        struct xfrm_userpolicy_info *policy_info;
        struct nlmsghdr *hdr;
        int i;
+       status_t xfrm_send_status = FAILED;
 
        /* create a policy */
        policy = malloc_thing(policy_entry_t);
@@ -1804,7 +1805,14 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
                mrk->m = mark.mask;
        }
 
-       if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) !=
SUCCESS)
+       xfrm_send_status =
this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
+       if (ALREADY_DONE == xfrm_send_status)
+       {
+               DBG2(DBG_KNL, "policy %R === %R %N "
+                               "already exists in the kernel",
+                               src_ts, dst_ts, policy_dir_names,
direction);
+       }
+       else if (SUCCESS != xfrm_send_status)
        {
                DBG1(DBG_KNL, "unable to add policy %R === %R %N",
src_ts, dst_ts,
                                           policy_dir_names, direction);


Does it make sense?

Thanx,
- Ido

-----Original Message-----
From: Goshen, Ido (Ido) 
Sent: Tuesday, May 31, 2011 9:33 AM
To: dev at lists.strongswan.org; Andreas Steffen
Subject: Re: kernel SPD/SAD tool

- Not saying that pluto crashes, not meant to cause such worries. 
We had some issues that we tried to reproduce by intentionally killing
it to see how it recovers.

- Thanx for the detailed netkey_cleanup pointers.
It's a pity that it uses system shell commands ("setkey" or "ip xfrm")
and not directly sending nlmsg trough its NETLINK_XFRM socket like it
does for all other operations. Our system is busybox based and doesn't
have both commands.

Thanx again - the info is very helpful

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Monday, May 30, 2011 7:16 PM
To: Goshen, Ido (Ido)
Cc: dev at lists.strongswan.org
Subject: Re: kernel SPD/SAD tool

Hi Ido,

- first, pluto is not supposed to crash. Please provide us with debug
  information so that we can fixed your problem.

- second, starter flushes all SPD/SAD entries in the kernel using
  starter_netkey_cleanup() after pluto and/or charon are terminated:

http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/starter/starter
.c;h=d86da21b83f758c1824c312ede7f1caf42fd61a9;hb=HEAD#l429

http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/starter/netkey.
c;h=e0449f0b2599f0c1a40c10f6428b8b6353507c87;hb=HEAD#l67


If you want to flush the SPD/SAD before starting pluto then insert
starter_netkey_cleanup() somewhere here:

http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/starter/starter
.c;h=d86da21b83f758c1824c312ede7f1caf42fd61a9;hb=HEAD#l364

Regards

Andreas

On 05/30/2011 02:00 PM, Goshen, Ido (Ido) wrote:
> Hi Andreas,
> 
> Thanx for the quick response, and for exposing me to the "ip xfrm"
> option. I like it a lot better than mixing ipsec-tools setkey with
> StrongSWAN.
> 
> As you suggested I would rather not having to manually touch the
> SPD/SAD. But I'm having a problem when pluto crashes it leaves behind
> entries in the kernel that may break further negotiation after pluto
is
> restarted.
> More details were posted in:
> 1.
http://www.mail-archive.com/users@lists.strongswan.org/msg02447.html
> 2. https://lists.strongswan.org/pipermail/users/2011-May/006236.html
> 
> Is it known issue?
> 
> Any ideas how to fix/recover?
> 
> Thanx,
> - Ido
> 
> 
> 
> -----Original Message-----
> From: dev-bounces+igoshen=avaya.com at lists.strongswan.org
> [mailto:dev-bounces+igoshen=avaya.com at lists.strongswan.org] On Behalf
Of
> dev-request at lists.strongswan.org
> Sent: Monday, May 30, 2011 1:00 PM
> To: dev at lists.strongswan.org
> Subject: Dev Digest, Vol 16, Issue 5
> 
> Send Dev mailing list submissions to
> 	dev at lists.strongswan.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.strongswan.org/mailman/listinfo/dev
> or, via email, send a message with subject or body 'help' to
> 	dev-request at lists.strongswan.org
> 
> You can reach the person managing the list at
> 	dev-owner at lists.strongswan.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Dev digest..."
> 
> 
> Today's Topics:
> 
>    1. kernel SPD/SAD tool (Goshen, Ido (Ido))
>    2. Re: kernel SPD/SAD tool (Andreas Steffen)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Mon, 30 May 2011 10:07:43 +0200
> From: "Goshen, Ido (Ido)" <igoshen at avaya.com>
> Subject: [strongSwan-dev] kernel SPD/SAD tool
> To: <dev at lists.strongswan.org>
> Message-ID:
> 	
>
<EDC652A26FB23C4EB6384A4584434A04032BC954 at 307622ANEX5.global.avaya.com>
> 	
> Content-Type: text/plain; charset="us-ascii"
> 
> Hi,
> 
>  
> 
> Does StrongSWAN supply a shell tool like "setkey" from ipsec-tools to
> monitor and/or manipulate the kernel's SPD/SAD or it's all done
> programmatically via hydra (netlink plugin in my case)?
> 
>  
> 
> Thanx,
> 
> -        Ido
> 
>  
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
>
http://lists.strongswan.org/pipermail/dev/attachments/20110530/55a852a3/
> attachment-0001.html 
> 
> ------------------------------
> 
> Message: 2
> Date: Mon, 30 May 2011 11:50:21 +0200
> From: Andreas Steffen <andreas.steffen at strongswan.org>
> Subject: Re: [strongSwan-dev] kernel SPD/SAD tool
> To: "Goshen, Ido (Ido)" <igoshen at avaya.com>
> Cc: dev at lists.strongswan.org
> Message-ID: <4DE3685D.9050003 at strongswan.org>
> Content-Type: text/plain; charset=windows-1252; format=flowed
> 
> Hi Ido,
> 
> strongSwan manages the kernel SPD/SAD via the XFRM Netlink kernel
> interface. The built-in "ipsec statusall" command can be used to
> monitor the established IPsec SAs but if you want to see all the
> details you can also use "setkey" or "ip xfrm state|policy".
> 
> If you manipulate SPD/SAD entries via "setkey" or "ip xfrm" then you
> are on your own since strongSwan will not be aware of any such
changes.
> 
> Regards
> 
> Andreas
> 
> On 05/30/2011 10:07 AM, Goshen, Ido (Ido) wrote:
>> Hi,
>>
>> Does StrongSWAN supply a shell tool like ?setkey? from ipsec-tools to
>> monitor and/or manipulate the kernel?s SPD/SAD or it?s all done
>> programmatically via hydra (netlink plugin in my case)?
>>
>> Thanx,
>>
>> -Ido
>>
> 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Dev mailing list