[Openswan dev] Phase 2 Negotiation Reliability

[Herbert Xu]

Hi:

I've got a problem with the reliability of establishing phase 2 SAs.

The problem is as follows.  For whatever reason (congestion is probably
the cause), the link between the two Openswan peers are fairly lossy
when the negotiations occur.  Due to a flaw in the IKE protocol, this
tends to cause the SA to be up on the initiator side, but down on the
responder side.

What happens is that the initiator will transmit its first Quick Mode
message.  The responder will of course send back the second Quick Mode
message.  Should there be any packet loss at this stage the initiator
will essentially retransmit forever.  Once that gets through the the
initiator will transmit the final message and consider the SA to be
established.

However, on the responder side the SA won't be established until the
final message is received.  If the final message is lost then the
responder will retransmit MAXIMUM_RETRANSMISSIONS (== 3) times.  After
that it gives up and deletes the state.

At this point the SA is established on the initiator but not on the
responder.

Normally this will correct itself at the next rekeying.  Unfortunately
that may be a long time away on the initiator side.

Even DPD doesn't help since it only tests the liveliness of the peer
which will be successful in this case as the Phase 1 SA is up.

Now I know that IKEv2 solves the problem by always having an even
number of messages.  But can someone think of a solution that we
can implement right now?

Lowering the Phase 2 lifetime is not an option since we have to support
a very large number of tunnels on the responder side.

The simplest thing we've come up with is to raise MAXIMUM_RETRANSMISSIONS
which makes the problem less likely.

Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt