[strongSwan] more info in log message "deleting half open IKE_SA after timeout"

Stauffer Walter (Galexis) walter.stauffer at galexis.com
Wed Feb 22 17:03:44 CET 2017


Hi All, 

I made the following modification to our strongSwan installation (5.3.5): 

+++ ./src/libcharon/processing/jobs/delete_ike_sa_job.c 2017-02-22 16:02:04.971231122 +0100
@@ -93,7 +93,7 @@
                        }
                        else
                        {
-                               DBG1(DBG_JOB, "deleting half open IKE_SA after timeout");
+                               DBG1(DBG_JOB, "deleting half open IKE_SA with %H after timeout", ike_sa->get_other_host(ike_sa));
                                charon->bus->alert(charon->bus, ALERT_HALF_OPEN_TIMEOUT);
                                charon->ike_sa_manager->checkin_and_destroy(
                                                                                                charon->ike_sa_manager, ike_sa);

It compiles, it runs, and it logs the desired information (address of the partner) .. 

But since I'm not familiar with the code, I may have introduced a bug. 
So any feedback would be very welcome. 


Story behind this: our Internet provider rate-limits UDP fragments (!!!) at its peering points 
(to fend off or mitigate certain attacks). 

We use the Windows built-in IKEv2 capabilites which unfortunately use UDP fragmentation 
(do not support RFC 7383) and have been bitten by this rate-limiting. 

Indicator for the problem are lots of "deleting half open IKE_SA after timeout" messages 
(of which we are notified, besides support calls for non working home office VPNs). 

With the patch, I hope to be able to see if it's one of "our" clients failing to connect because 
of e.g. fragments being dropped, or it's some scan attempt "from far away". 

If the patch is considered useful, feel free to add it. 

Best regards, 
Walter 



More information about the Users mailing list