[strongSwan-dev] with "auto=route" strongSwan could end up without kernel traps

Ansis Atteka ansisatteka at gmail.com
Tue Apr 5 00:02:44 CEST 2016


As can be seen with these two sample commands, if there is a sleep(1)
after `ipsec restart/start/reload/update` command, then strongSwan
does not install kernel traps that prevent traffic from exiting in
plain, once the IP route configuration reappears (e.g. if DHCP server
was "late" with assigning IP configuration):

1. root at ubuntu:/home/aatteka/Git# ifconfig eno16777736 0.0.0.0; ipsec
restart; ifconfig eno16777736 192.168.71.136/24; ip route add default
via 192.168.71.2; ipsec status
Stopping strongSwan IPsec...
Starting strongSwan 5.4.0 IPsec [starter]...
Routed Connections:
sample-self-signed{1}:  ROUTED, TUNNEL, reqid 1 <----------- This
kernel trap is missing with sleep(1)
sample-self-signed{1}:   192.168.71.136/32 === 192.168.0.2/32
Security Associations (0 up, 0 connecting):
  none


2. root at ubuntu:/home/aatteka/Git# ifconfig eno16777736 0.0.0.0; ipsec
restart; sleep 1; ifconfig eno16777736 192.168.71.136/24; ip route add
default via 192.168.71.2; ipsec status

Stopping strongSwan IPsec...
Starting strongSwan 5.4.0 IPsec [starter]...
Security Associations (0 up, 0 connecting):
  none


I verified that this bug is present in 5.1.2 and master branch. The
obvious solution to fix this would be to let strongSwan to listen to
Netlink notifications that indicate when IP route appeared and then
retry in installing IPsec policies.

There seems to be some support for this, in particular,
charon.process_route = yes setting, but it does not seem to change
anything. What is exact intended behavior of that flag?

Thanks,
Ansis


More information about the Dev mailing list