[strongSwan] restart action on redundant CHILD_SAs
Stephen Pisano
pisano at alcatel-lucent.com
Tue Aug 23 23:05:11 CEST 2011
Hi:
We have found a message sequencing error scenario which yields
unexpected/undesirable behavior:
1. An established IKE_SA has an established CHILD_SA, with a non-strongSwan
gateway.
2. During rekeying, at the point there are two established CHILD_SAs, the
old and the new CHILD_SAs, a request is received from the peer to DELETE the
IKE_SA.
3. Our strongSwan is configured to automatically restart.
4. It dutifully restarts the IKE_SA and CHILD_SAs that currently exist, even
though the old one is an artifact of an incomplete rekey sequence.
Do you agree this is an issue?
Some thoughts on fixing it:
Inspiration comes from a fix for a similar issue:
http://wiki.strongswan.org/projects/strongswan/repository/revisions/2f57e6da
0e83a3e64e36dd2559b2579b9b1e32a2
Where a CHILD_SA's close action was "adjusted" so that it is not recreated
upon restart.
In our error scenario, could this same technique be used on the "Old" SA
(the one being rekeyed) to prevent a restart action on it?
That is when a new SA is created for a policy, the old SA's action (for the
same policy) would be set to "NONE".
What do you think?
Thanks,
Stephen
More information about the Users
mailing list