[strongSwan] Configuration Payload for IP Address Assignment Error Cases

Martin Willi martin at strongswan.org
Tue Jun 26 18:04:08 CEST 2012


Hi Stephen,

> 2. the SeGW replies with an INTERNAL_ADDRESS_FAILURE notification

This is how a responder should behave if it doesn't hand out internal
addresses. As a client, strongSwan does not create an associated
CHILD_SA, because the gateway usually does not include the SA/TS
payloads with this error.

By default, strongSwan keeps the IKE_SA up, unless the strongswan.conf
option charon.close_ike_on_child_failure is set to yes.

> 1. the SeGW replies with an configuration payload reply containing and
> "empty" address (length = 0)

strongSwan interprets this as a 0.0.0.0 address, but still tries to
install it. This seems to be rather problematic with our netlink kernel
interface. The kernel seems to ACK the installation, but does never
confirm it by sending a notification. As we have to wait for this
confirmation to go on with the CHILD_SA installation, the thread hangs.

I've pushed a patch [1] that improves the situation by just ignoring the
virtual IP, changing the behavior to the description below.

> 3. the SeGW does not generates a configuration payload reply nor a
> failure notification (e.g., it does not provide any support for
> configuration payload)

It depends on how the responder narrows the Traffic Selector for the
client. If it gets narrowed to the physical IP (or something that
contains it), the CHILD_SA will get established using this IP for the
local IPsec policy.

Regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=5def45b8





More information about the Users mailing list