[Openswan dev] Vista rekeying workaround

Julien DELEAN julien.delean at gmail.com
Fri Jul 18 05:21:00 EDT 2008 

This problem impact us very hardly...

Please help me... or answer me that my question is out of your scope :P

I only need some clue, a way to resolve this problem and I'll work very hard
to fix it !

Julien

---------- Forwarded message ----------
From: Julien DELEAN <julien.delean at gmail.com>
Date: 2008/7/11
Subject: Vista rekeying workaround
To: dev at openswan.org


Hi,

I'm trying to write a patch in order to have long session with a NAT-Ted
Vista roadwarrior (on openswan 2.4.8 or 2.4.12 and netkey).

The problem is : when transferred data volume limitation is reached on
Windows side, it's starting a rekey process. It's ok with XP but it fails on
Vista. Here are logs on Openswan side :

Jun 12 11:56:02 xxx pluto[6962]: "roadwarrior-l2tp"[1] xx.xx.xx.xx #1:
responding to Main Mode from unknown peer xx.xx.xx.xx
...
Jun 12 11:56:03 xxx pluto[6962]: "roadwarrior-l2tp"[2] xx.xx.xx.xx #2:
STATE_QUICK_R2: IPsec SA established {ESP=>0xfb7982a1 <0xf516b8d0
xfrm=AES_128-HMAC_SHA1 NATD=xx.xx.xx.xx:4500 DPD=none}
Jun 12 12:18:18 xxx pluto[6962]: "roadwarrior-l2tp"[3] xx.xx.xx.xx #3:
responding to Quick Mode {msgid:02000000}
Jun 12 12:18:18 xxx pluto[6962]: "roadwarrior-l2tp"[3] xx.xx.xx.xx #3:
cannot install eroute -- it is in use for "roadwarrior-l2tp"[2] xx.xx.xx.xx
#2


Paul has suggested to write a patch in order to allow rekey when ip/port are
matching.

I studied Pluto source code and I unsuccessfully tried some "tricks" :

   - Do nothing but return route-easy when eroute are in conflict and pray
   ;) (I know : It was stupid :P)
   - Delete old eroute :
      - with unroute() (really bad idea : route was in use ! and this
      function can't be called in this case)
      - with shunt_eroute()
      - Delete IPSec SA of the connection which is the route-owner in order
   to "unlock" eroute and permitt replacement.


I don't know on which level to focus in order to permit rekey: eroute,
connection, state...

Any clue or suggestion will be very appreciated !

Best regards

Julien DELEAN
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20080718/8bb178ce/attachment.html

More information about the Dev mailing list