[Openswan dev] Network Time Protocol and openswan

hiren joshi joshihirenn at gmail.com
Thu Sep 11 01:22:27 EDT 2008


Hello,

I want to implement Network Time Protocol client on a machine running openswan.

NTP client corrects the time by *SETTING* it if the time drift is > 43 seconds.

Following are my sample experiments to analyze the effect of this
change in time on openswan:

-------------------------------------------------------------
With the parameter: ikelifetime

Test case: Advance the clock by few seconds
ikelifetime(x) = ikelifetime(y), rekey(x) = yes, rekey(y) = no,
rekeymargin(x) = rekeymargin(y) = 1, nodpd, tunnel initiator: y
Observation: For existing SA, openswan sends delete SA payload to peer
early and starts negotiating new SA

Test case: Delay the clock for few seconds at x (x, y: IPSec Peers)
ikelifetime(x) = ikelifetime(y), rekey(x) = yes, rekey(y) = no,
rekeymargin(x) = rekeymargin(y) = 1, nodpd, tunnel initiator: y,
Observation: Peer sends delete SA payload, SA is deleted and not re-negotiated .
Analysis: As peer was set rekey=no and perhaps we have no renegotiate
event pending for the SA as the SA itself is deleted, there was no
renegotiation from either side.
So the tunnel is permanently deleted (Phase-1). This can also happen
with Phase-2.

Test case: Delay the clock for few seconds at x (x, y: IPSec Peers)
ikelifetime(x) = ikelifetime(y), rekey(x) = yes, rekey(y) = no,
rekeymargin(x) = rekeymargin(y) = 1, nodpd, tunnel initiator: y,
detach the network connection of the y so that we do not receive
delete SA payload
Observation: pluto detects the amount of change in time (but
incorrectly), renegotiation is delayed.

Also tested the behavior for DPD:
Advancing time results in early declaration of peer as dead.
Delaying the time results in late declaration.
------------------------------------------------------------

Please let me know if there is anything in the roadmap that will make
openswan resilient to time change.

Thank you.

Regards,
-hiren


More information about the Dev mailing list