[strongSwan-dev] [PATCH] Avoid duplicate IKE SA from concurrent SADB_ACQUIRE

Tobias Brunner tobias at strongswan.org
Thu Nov 22 18:14:24 CET 2018


Hi Jean-Francois,

> Nov 22 11:27:29 14[KNL] received an SADB_ACQUIRE
> Nov 22 11:27:29 14[KNL] creating acquire job for policy 192.168.1.1/32
> === 192.168.1.2/32 with reqid {2}
> Nov 22 11:27:29 16[MGR] checkout IKE_SA by config
> Nov 22 11:27:29 03[JOB] watcher got notification, rebuilding
> Nov 22 11:27:29 03[JOB] watcher going to poll() 5 fds
> Nov 22 11:27:29 03[JOB] watched FD 7 ready to read
> Nov 22 11:27:29 14[KNL] received an SADB_ACQUIRE
> Nov 22 11:27:29 03[JOB] watcher going to poll() 4 fds
> Nov 22 11:27:29 16[MGR] created IKE_SA (unnamed)[1]
> Nov 22 11:27:29 14[KNL] creating acquire job for policy 192.168.1.1/32
> === 192.168.1.2/32 with reqid {1}
> Nov 22 11:27:29 16[MGR] tracking created IKE_SA (unnamed)[1]
> Nov 22 11:27:29 03[JOB] watcher got notification, rebuilding
> Nov 22 11:27:29 06[MGR] checkout IKE_SA by config

Why are there duplicate policies with different reqids?  The acquire
tracking in the trap manager is done via reqid.  It's strange that
that's even possible.  strongSwan only assigns unique reqids to
different policies, and for overlapping policies only an acquire for the
narrower policy should be triggered by the kernel.  So you might want to
investigate and fix that.

Regards,
Tobias


More information about the Dev mailing list