[strongSwan] HA plugin: stopping charon does not remove IKE_SA/CHILD_SA from other nodes

Emeric POUPON emeric.poupon at stormshield.eu
Thu Mar 26 15:12:51 CET 2015 

Well, actually this is not a correct fix.
I have hit a case when we do receive and process messages from the network while destroying everything...
As a result, we renegotiate a connection and silently shutdown right after that, which is really annoying since the remote host has to make use of the DPD mechanism to detect the failure.

What do you think?

Regards,

Emeric

----- Mail original -----
De: "Emeric POUPON" <emeric.poupon at stormshield.eu>
À: "Martin Willi" <martin at strongswan.org>
Cc: users at lists.strongswan.org
Envoyé: Mardi 3 Mars 2015 17:36:13
Objet: Re: [strongSwan] HA plugin: stopping charon does not remove IKE_SA/CHILD_SA from other nodes

Ok, I found my problem.
I replaced the UDP socket implementation of the HA plugin with mine (based on corosync and recv/send queues).
When I send a HA message, I queue a job to perform the actual job.

But the stronswan's shutdown prevents the job to be executed:

In src/libcharon/daemon.c:
/**
 * Clean up all daemon resources
 */
static void destroy(private_daemon_t *this)
{
        /* terminate all idle threads */
        lib->processor->set_threads(lib->processor, 0);
        /* make sure nobody waits for a DNS query */
        lib->hosts->flush(lib->hosts);
        /* close all IKE_SAs */
        if (this->public.ike_sa_manager)
        {
                this->public.ike_sa_manager->flush(this->public.ike_sa_manager);
        }
        if (this->public.traps)
        {
                this->public.traps->flush(this->public.traps);
        }
        if (this->public.sender)
        {
                this->public.sender->flush(this->public.sender);
        }
    
        /* cancel all threads and wait for their termination */
        lib->processor->cancel(lib->processor);

If I terminate idle threads just before cancelling threads, the job is being executed and it works as expected: the SA are being deleted on the passive node.
Not sure it is the correct fix for that problem though?

Best Regards,

Emeric

----- Mail original -----
De: "Emeric POUPON" <emeric.poupon at stormshield.eu>
À: "Martin Willi" <martin at strongswan.org>
Cc: users at lists.strongswan.org
Envoyé: Lundi 2 Mars 2015 10:45:03
Objet: Re: [strongSwan] HA plugin: stopping charon does not remove IKE_SA/CHILD_SA from other nodes

>> In that particular configuration (no monitoring/heartbeat) stopping
>> charon on the active node should clear the connections on the remote
>> gateway (OK) and on the other node (not OK), right?
>
>The active node will delete the IKE_SA, and send a close event to the
>passive node.
>

That is what I don't understand: I don't see the close event on the passive node.
Therefore the IKE SA and its associated CHILD SA stay in the passive node. Maybe I have missed something?

Regards,

Emeric

_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list