[strongSwan-dev] handling phase 2 creation with Juniper SRX - is this a bug?
Martin Willi
martin at strongswan.org
Fri Jul 11 12:05:48 CEST 2014
Hi,
> Quick Mode (1) -->
> <-- Quick Mode (2)
> Informational Msg (D-1) -->
> Informational Msg (D-2) -->
> Quick Mode (3) -->
> The two informational messages D-1 and D-2 are delete messages for the two
> SAs the FW is expiring.
>
> This sequence of messages causes the quick mode task to get into a weird
> state. This is how it happens.
Thanks for your detailed analysis. I could reproduce the issue here when
delaying the third Quick Mode message.
> The fix was to return NOT_SUPPORTED in quick_mode_t::process_r when a
> INFORMATIONAL_V1 message is received in QM_NEGOTIATED state. In
> process_request in src/libcharon/sa/ikev1/task_manager_v1.c, when a
> task returns NOT_SUPPORTED, i continue to the next task in the
> enumeration (without sending a response).
I think that could work. To avoid introducing another return value for
tasks, we alternatively could just ignore DELETE messages in the Quick
Mode task.
I've pushed a patch to [1] doing so, it works well in my tests. Let me
know if it fixes the issue with that Juniper box, I'll then merge the
change to mainline.
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=1fdc715e
More information about the Dev
mailing list