[strongSwan] HA plugin: stopping charon does not remove IKE_SA/CHILD_SA from other nodes
Emeric POUPON
emeric.poupon at stormshield.eu
Tue Mar 3 17:36:13 CET 2015
Ok, I found my problem.
I replaced the UDP socket implementation of the HA plugin with mine (based on corosync and recv/send queues).
When I send a HA message, I queue a job to perform the actual job.
But the stronswan's shutdown prevents the job to be executed:
In src/libcharon/daemon.c:
/**
* Clean up all daemon resources
*/
static void destroy(private_daemon_t *this)
{
/* terminate all idle threads */
lib->processor->set_threads(lib->processor, 0);
/* make sure nobody waits for a DNS query */
lib->hosts->flush(lib->hosts);
/* close all IKE_SAs */
if (this->public.ike_sa_manager)
{
this->public.ike_sa_manager->flush(this->public.ike_sa_manager);
}
if (this->public.traps)
{
this->public.traps->flush(this->public.traps);
}
if (this->public.sender)
{
this->public.sender->flush(this->public.sender);
}
/* cancel all threads and wait for their termination */
lib->processor->cancel(lib->processor);
If I terminate idle threads just before cancelling threads, the job is being executed and it works as expected: the SA are being deleted on the passive node.
Not sure it is the correct fix for that problem though?
Best Regards,
Emeric
----- Mail original -----
De: "Emeric POUPON" <emeric.poupon at stormshield.eu>
À: "Martin Willi" <martin at strongswan.org>
Cc: users at lists.strongswan.org
Envoyé: Lundi 2 Mars 2015 10:45:03
Objet: Re: [strongSwan] HA plugin: stopping charon does not remove IKE_SA/CHILD_SA from other nodes
>> In that particular configuration (no monitoring/heartbeat) stopping
>> charon on the active node should clear the connections on the remote
>> gateway (OK) and on the other node (not OK), right?
>
>The active node will delete the IKE_SA, and send a close event to the
>passive node.
>
That is what I don't understand: I don't see the close event on the passive node.
Therefore the IKE SA and its associated CHILD SA stay in the passive node. Maybe I have missed something?
Regards,
Emeric
More information about the Users
mailing list