[strongSwan] Deleting connections

Mike Spengler mks at foobox.com
Mon Feb 28 06:37:38 CET 2011


We run StrongSwan in an embedded system and get IKE configuration data from our 
internal config mgr, which I turn into an ipsec.conf file. When changes occur I 
just generate a new ipsec.conf and call 'ipsec update' to affect the changes. 
All of our connections are IKEv2 and use 'auto=route'.

When a connection is deleted, I want any existing policies and IKE sessions for 
that connection to be deleted, which doesn't happen with the 'ipsec update'. I 
have used the patch below in StrongSwan 4.4.1, which seemed to work as desired. 
However, when used with 4.5.1 I'm getting charon crashes. It appears that two 
separate threads are working on the same connection, with one thread destroying 
the ike_sa.

Feb 27 14:15:07 switch charon: 02[CFG] received stroke: delete connection 
'Policy_S0P0ipsec0sa0'
Feb 27 14:15:07 switch charon: 02[CFG] deleted connection 'Policy_S0P0ipsec0sa0'
Feb 27 14:15:07 switch charon: 02[CFG] received stroke: unroute 
'Policy_S0P0ipsec0sa0'
Feb 27 14:15:07 switch charon: 02[KNL] deleting policy 2001:db8:1:1::1/128 === 
2001:db8:f:1::1/128 out
Feb 27 14:15:08 switch charon: 02[KNL] deleting policy 2001:db8:f:1::1/128 === 
2001:db8:1:1::1/128 in
Feb 27 14:15:08 switch charon: 08[CFG] received stroke: terminate 
'Policy_S0P0ipsec0sa0'
Feb 27 14:15:08 switch charon: 08[MGR] checkout IKE_SA by ID
Feb 27 14:15:08 switch charon: 08[MGR] IKE_SA Policy_S0P0ipsec0sa0[1] 
successfully checked out
Feb 27 14:15:08 switch charon: 02[IKE] <Policy_S0P0ipsec0sa0|1> destroying 
IKE_SA in state CONNECTING without notification
Feb 27 14:15:08 switch charon: 02[MGR] <Policy_S0P0ipsec0sa0|1> checkin and 
destroy IKE_SA Policy_S0P0ipsec0sa0[1]
Feb 27 14:15:08 switch charon: 02[IKE] <Policy_S0P0ipsec0sa0|1> IKE_SA 
Policy_S0P0ipsec0sa0[1] state change: CONNECTING => DESTROYING
Feb 27 14:15:08 switch charon: 02[MGR] check-in and destroy of IKE_SA successful
Feb 27 14:15:13 switch charon: 03[JOB] got event, queuing job for execution
Feb 27 14:15:13 switch charon: 03[JOB] no events, waiting
<charon crashes here>

The crash is in thread 08 in the DBG2 processing below, because the thread's 
ike_sa value is set to the now-deleted ike_sa_t.

METHOD(ike_sa_manager_t, checkout, ike_sa_t*,
     private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
{
     ike_sa_t *ike_sa = NULL;
     entry_t *entry;
     u_int segment;

     DBG2(DBG_MGR, "checkout IKE_SA");


If there is a better way for me to get the policy and sessions deleted, I'd be 
interested in that. Otherwise, any pointers to help track down the crashes would 
be greatly appreciated.

Thanks.
-mike


Here's the patch we are using:

diff --git a/src/starter/starter.c b/src/starter/starter.c
index c3ba54f..19910d1 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -463,6 +463,8 @@ int main (int argc, char **argv)
                         if (starter_charon_pid())
                         {
                             starter_stroke_del_conn(conn);
+                           starter_stroke_unroute_conn(conn);
+                           starter_stroke_terminate_conn(conn);
                         }
                         if (starter_pluto_pid())
                         {
@@ -548,6 +550,8 @@ int main (int argc, char **argv)
                             if (starter_charon_pid())
                             {
                                 starter_stroke_del_conn(conn);
+                               starter_stroke_unroute_conn(conn);
+                               starter_stroke_terminate_conn(conn);
                             }
                             if (starter_pluto_pid())
                             {
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 9c69ab9..5918f0d 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -301,6 +301,16 @@ int starter_stroke_route_conn(starter_conn_t *conn)
     return send_stroke_msg(&msg);
  }

+int starter_stroke_unroute_conn(starter_conn_t *conn)
+{
+   stroke_msg_t msg;
+
+   msg.type = STR_UNROUTE;
+   msg.length = offsetof(stroke_msg_t, buffer);
+   msg.unroute.name = push_string(&msg, connection_name(conn));
+   return send_stroke_msg(&msg);
+}
+
  int starter_stroke_initiate_conn(starter_conn_t *conn)
  {
     stroke_msg_t msg;
@@ -311,6 +321,16 @@ int starter_stroke_initiate_conn(starter_conn_t *conn)
     return send_stroke_msg(&msg);
  }

+int starter_stroke_terminate_conn(starter_conn_t *conn)
+{
+   stroke_msg_t msg;
+
+   msg.type = STR_TERMINATE;
+   msg.length = offsetof(stroke_msg_t, buffer);
+   msg.terminate.name = push_string(&msg, connection_name(conn));
+   return send_stroke_msg(&msg);
+}
+
  int starter_stroke_add_ca(starter_ca_t *ca)
  {
     stroke_msg_t msg;


-mike




More information about the Users mailing list