[strongSwan-dev] FreeBSD 10.0 road warrior re-authentication problem

Fri Jul 25 19:19:18 CEST 2014

Hi David,

Sorry for the late response.  I could recreate this issue.  There are
two things contributing to it:

  * We currently don't handle RTM_IFANNOUNCE when interfaces are deleted
  * FreeBSD immediately reuses indices of deleted network devices

We use the indices to match events received via PF_ROUTE to our cached
interface objects.  But we never remove these objects because we
currently don't handle the RTM_IFANNOUNCE message.  So if an interface
is deleted and a new one is created with a previously used index the
name of the cached object will not match the actual name of the interface:

> 06[KNL] interface tun0 deactivated
> ...
> 08[KNL] 192.168.254.1 disappeared from tun1
> 07[IKE] installing new virtual IP 192.168.254.1
> 08[KNL] interface tun1 deactivated
> 07[LIB] created TUN device: tun2
> 16[KNL] interface tun0 activated
> 16[KNL] fe80::f2de:f1ff:fead:512f appeared on tun0
> 05[KNL] 192.168.254.1 appeared on tun0

As can be seen, the cache entry for tun0 was not removed even though it
was deactivated and deleted a while ago.  tun2 now uses the same index
as tun0 did, so the kernel-pfroute plugin associates the following
events with the cached entry for tun0.  Of course, this causes problems
later e.g. when installing routes via TUN device, as the cached name
(tun0) will be used.

The attached patch adds support for RTM_ANNOUNCE messages, so cached
interfaces are properly deleted when they disappear from the system.

As a workaround you can disable reauthentication with reauth=no.  The
IKE_SA will then be rekeyed inline without affecting virtual IPs and TUN
devices.

Regards,
Tobias

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-kernel-pfroute-Delete-interfaces-on-RTM_IFANNOUNCE-I.patch
Type: text/x-patch
Size: 2989 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20140725/714f0f7d/attachment.bin>