[strongSwan-dev] A plugin: Syncing the latest sent packet content
Avinoam Meir
avinoam at google.com
Tue Dec 1 08:26:40 CET 2015
Hello Strongswan developers,
I looked at the HA plugin and if I understand correctly in every sent
packet , the plugin syncs only the mid , but not the packet content (I mean
task_manager->initiating.packets
<https://github.com/strongswan/strongswan/blob/08afc33e5259399a682bb62ef253b3155e68461e/src/libcharon/sa/ikev2/task_manager_v2.c#L122>
and task_manager->responding.packets
<https://github.com/strongswan/strongswan/blob/08afc33e5259399a682bb62ef253b3155e68461e/src/libcharon/sa/ikev2/task_manager_v2.c#L96>
)
I think there are few cases where the IKE state synchronization will fail
without syncing the latest sent packet.
For example:
1. The active VPN received request from peer and tried to send
response, but the machine crashed or there was problem in the network so
the message wasn't sent, while the inactive VPN got HA message with the new
MID. When the backing VPN will be activate the peer retransmit the request
but because the VPN doesn't have the latest packet it drops the retransmit
request (see here
<https://github.com/strongswan/strongswan/blob/08afc33e5259399a682bb62ef253b3155e68461e/src/libcharon/sa/ikev2/task_manager_v2.c#L1341>)
and the IKE SA at the end will reset.
2. The active VPN tried to initiate exchange with the peer but the
machine crashed or there was problem in network so the message wasn't sent
,while the inactive VPN got HA message with the new MID. When the backing
VPN will be activated it will try to send new messages but its MID of the
our vpn now equal MID+1 of the peer VPN , and at the end the IKE SA will
reset.
It seems that syncing the latest packets will solve such cases.
What do you think?
Thanks,
Avinoam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20151201/6aec867c/attachment.html>
More information about the Dev
mailing list