[strongSwan-dev] Fault Restart Issue with Key Sockets

Tue Jun 2 21:39:44 CEST 2015

We have a case where the charon daemon faults and gets restarted badly (the crash is something to do with elliptical DH groups and heap corruption that we still have to track down - that's another topic).  

Today's topic is that when the daemon restarts, the security policies all get deleted.  This leaves the kernel completely wide open...

The log entries are:

11:51:00 09[KNL] adding policy 10.2.10.121/32 === 10.2.10.122/32 out
11:51:00 09[KNL] unable to add policy: File exists. (5017)
11:51:00 09[KNL] unable to add policy 10.2.10.121/32 === 10.2.10.122/32 out
11:51:00 09[KNL] adding policy 10.2.10.122/32 === 10.2.10.121/32 in
11:51:00 09[KNL] unable to add policy: File exists. (5017)
11:51:00 09[KNL] unable to add policy 10.2.10.122/32 === 10.2.10.121/32 in
11:51:00 09[CFG] installing trap failed
11:51:00 09[KNL] deleting policy 10.2.10.121/32 === 10.2.10.122/32 out
11:51:00 09[KNL] deleting policy 10.2.10.122/32 === 10.2.10.121/32 in

I didn't study the error recovery path in depth, but the error is reported by add_policy_internal (in src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c).  The kernel will only return EEXIST when the operation is SADB_X_SPDADD.  add_policy_internal is only called with the update parameter FALSE from the add_policy method.

I checked the KLIPS and Netlink versions and it looks like the add_policy method is always supposed to update existing SPs in the kernel.

With that in mind, would the fix for this problem be to handle EEXIST in add_policy_internal by replacing

	if (pfkey_send(this, msg, &out, &len) != SUCCESS)

with 

	status = pfkey_send(this, msg, &out, &len);
	if (status != SUCCESS && !update && out->sadb_msg_errno == EEXIST)
	{
		msg->sadb_msg_type = SADB_X_SPDUPDATE;
		status = pfkey_send(this, msg, &out, &len);
	}
	if (status != SUCCESS)

TIA for your advice.