[Openswan dev] Yet another DPD issue

Mark-Andre Hopf mhopf at innominate.com
Mon Jul 16 10:42:23 EDT 2007 

On Fri 13.07. 11:23, Mark-Andre Hopf wrote:

> We have a report of a scenario where DPD won't restart a connection when the   
> IPsec SA is being replaced while the peer was unavailable.
> 
> Here is a possible explanation:
> 
> When looking the code of Openswan 2.4.7 I see that DPD is initiated in
> quick_inR1_outI2 and quick_inI2 and deleted when the related SA is deleted
> or replaced. Which is the IPsec SA.
> 
> Now assume that the IPsec SA expires, EVENT_DPD is deleted and at this  
> moment the peer is rebooted, which is configured to wait for an incoming
> connection.
> 
> Now one has to wait until the ISAKMP SA keys expire until the IPsec      
> connection can be used again.

My assumption was right. Here is a description on how to reproduce the
issue:

o One peer acts as Responder (does not initiate the connections) using
  default lifetimes and DPD settings.

o One peer acts as Initiator with ISAKMP SA lifetime of 1h, IPsec SA
  lifetime of 60s.

o Establish the connection

o On the Initiator execute 'whack --listevents':

  002 It is now: 946692973 seconds since epoch
  002 event EVENT_SA_REPLACE is schd: 946693027 (in 54s) state:55
  002     connection: "v000_001"
  002 event EVENT_NAT_T_KEEPALIVE is schd: 946693065 (in 92s) state:-1
  002 event EVENT_SHUNT_SCAN is schd: 946693071 (in 98s) state:-1
  002 event EVENT_PENDING_PHASE2 is schd: 946693071 (in 98s) state:-1
  002 event EVENT_DPD is schd: 946693267 (in 294s) state:55
  002     connection: "v000_001"
  002 event EVENT_REINIT_SECRET is schd: 946696311 (in 3338s) state:-1
  002 event EVENT_SA_REPLACE is schd: 946696567 (in 3594s) state:54
  002     connection: "v000_001"
  002 event EVENT_LOG_DAILY is schd: 946771200 (in 78227s) state: -1

o The EVENT_SA_REPLACE event with 54s is the IPsec SA. When there are only
  5s left, powercycle the Responder at once. (Assuming that it takes more
  than 5s for Pluto to be ready again ;) .)

o Execute 'whack --listevents' again:

  002 It is now: 946693028 seconds since epoch
  002 event EVENT_RETRANSMIT is schd: 946693037 (in 9s) state:56
  002     connection: "v000_001"
  002 event EVENT_NAT_T_KEEPALIVE is schd: 946693065 (in 37s) state:-1
  002 event EVENT_SHUNT_SCAN is schd: 946693071 (in 43s) state:-1
  002 event EVENT_PENDING_PHASE2 is schd: 946693071 (in 43s) state:-1
  002 event EVENT_REINIT_SECRET is schd: 946696311 (in 3283s) state:-1
  002 event EVENT_SA_REPLACE is schd: 946696567 (in 3539s) state:54
  002     connection: "v000_001"
  002 event EVENT_LOG_DAILY is schd: 946771200 (in 78172s) state:-1

=> There are no active DPD events and the connection will remain dead until
   the ISAKMP SA expires in 3539s.

Mark

-- 
Dipl.-Inf. Mark-André Hopf
Senior Software Engineer
Innominate Security Technologies AG
protecting industrial networks
tel: +49.30.6392-3284
fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin, Germany
www.innominate.com

Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum

More information about the Dev mailing list