[Openswan dev] DPD issue with multiple tunnels between two peers
mhopf at innominate.com
Thu Jun 14 10:39:24 EDT 2007
I know that DPD is supposed to be broken under certain conditions,
especially when working with more than one connection between two peers.
Some trouble can can be avoided by using 'restart_by_peer' instead of
'restart' or 'hold'. (This is http://bugs.xelerance.com/view.php?id=729)
Now we recently stumbled into the following interesting scenario with
Openswan 1.0.x and 2.4.7. (This might be related to
o Set up two VPN tunnels between two Openswan gateways, one acting as a
responder (does not initiate, X.509 certs and %any as remote peer),
the other as an initiator (with DPD set to restart_by_peer).
o After the initiation the ISAKMP SA is shared by both IPsec SAs.
(Ensure that the ISAKMP SAs on both peers belong to the same pair of
IPsec SAs. At least that's what I did, it might not be a requirement.)
o On the responder, terminate the connection owning the ISAKMP SA.
o The initiator receives a Delete Notification and terminates the ISAKMP SA
and one of its IPsec SA within 10s. Another IPsec SA remains active.
o Now kill the pluto daemon on the responder (SIGKILL!) and start Pluto again
and re-add the two connections.
(This way the IPsec SA is removed on the receiver and the client receives
no Delete Notification, which is a valid behaviour as Delete Notifications
are not retransmitted when lost.)
o The initiator will renegotiate the connection which has no IPsec SA.
o On the initiator DPD will believe that everything is fine because its
ISAKMP SA is working and it has two IPsec SAs, one being invalid.
o On the gateway one IPsec SA is missing until the next rekeying attempt of
the invalid IPsec SA.
>From what I saw in RFC 3706, DPD does not carry information about the IPsec
SA which is being watched. Is that right or is this mishandled by Openswan?
>From the logs I see that DPD is started when an IPsec SA is established, so
I guess one would expect that it also carries information about the IPsec SA
it is watching.
For a hotfix I solved the issue by restarting all IPsec SA to the same peer
if on IPsec SA received a Delete Notification, which seems to work for now.
Dipl.-Inf. Mark-André Hopf
Senior Software Engineer
Innominate Security Technologies AG
protecting industrial networks
D-12489 Berlin, Germany
Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum
More information about the Dev