[Openswan dev] Problems with netkey acquires.

David McCullough david_mccullough at mcafee.com
Wed Mar 10 20:04:43 EST 2010 

Jivin Tuomo Soini lays it down ...
> Tuomo Soini wrote:
> > Tuomo Soini wrote:
> >> Tuomo Soini wrote:
> >>
> >>> Seem like code matching acquire to tunnel configuration is currently broken.
> >> Just fyi, commit 00ed7490af2e9adc1a936d38693c872cea1e87ba didn not fix
> >> this issue on netkey.
> > 
> > David. Do you have any idea what's problem here.
> > 
> > With 2.6.24 you get acquire states which are shown in ipsec auto
> > --status and never cleaned up.
> > 
> > It looks like your change "fixed" this but now these acquire states are
> > inserted into xfrm policy directly without matching them to loaded conns.
> > 
> 
> It seems like david's commit 00ed7490af2e9adc1a936d38693c872cea1e87ba
> fixed part of the old acquire state handling problem but accidentally
> triggered pluto to insert wrong policy. I attached debug log where
> situation is shown quite clearly. Only tunnel is 87.108.67.176/32 -
> 0.0.0.0/0 in this configuration.

Ok,  I need some more here I think.  The logs actually looked about right to
me for some reason :-)

What is left over after this that is causing the problem ?

Looks like we add the narrow hold and the bare shunt,  then initiate the
tunnel.  Did it not add 87.108.67.176/32 -> 0.0.0.0/0 info somewhere ?  I
though that would happen later when the tunnel came up.

Sorry,  but I'm obviously missing something.  The last bit of an
"ipsec auto --status" usually shows up an %acquire* problem,  might help.
Netkey is not something I use a lot, so sorry if this is obvious :-)

Thanks,
Davidm


> Mar 10 22:41:36 usik pluto[1201]: | *received kernel message
> Mar 10 22:41:36 usik pluto[1201]: | netlink_get: XFRM_MSG_ACQUIRE message
> Mar 10 22:41:36 usik pluto[1201]: | add bare shunt 0x2ba58ea76110 87.108.67.176/32:0 -6-> 87.108.67.162/32:80 => %hold 0    %acquire-netlink
> Mar 10 22:41:36 usik pluto[1201]: | find_connection: looking for policy for connection: 87.108.67.176:6/0 -> 87.108.67.162:6/80
> Mar 10 22:41:36 usik pluto[1201]: | find_connection: conn "foobar" has compatible peers: 87.108.67.176/32 -> 0.0.0.0/0 [pri: 16777226]
> Mar 10 22:41:36 usik pluto[1201]: | find_connection: comparing best "foobar" [pri:16777226]{0x2ba58ea3d550} (child none) to "foobar" [pri:16777226]{0x2ba58ea3d550} (child none)
> Mar 10 22:41:36 usik pluto[1201]: | find_connection: concluding with "foobar" [pri:16777226]{0x2ba58ea3d550} kind=CK_PERMANENT
> Mar 10 22:41:36 usik pluto[1201]: | assign hold, routing was prospective erouted, needs to be erouted HOLD
> Mar 10 22:41:36 usik pluto[1201]: | eroute_connection replace %trap with broad %hold eroute 87.108.67.176/32:0 --0-> 0.0.0.0/0:0 => %hold (raw_eroute)
> Mar 10 22:41:36 usik pluto[1201]: | raw_eroute result=1 
> Mar 10 22:41:36 usik pluto[1201]: | adding specific host-to-host bare shunt
> Mar 10 22:41:36 usik pluto[1201]: | delete narrow %hold eroute 87.108.67.176/32:0 --6-> 87.108.67.162/32:80 => %hold (raw_eroute)
> Mar 10 22:41:36 usik pluto[1201]: | raw_eroute result=1 
> Mar 10 22:41:36 usik pluto[1201]: | delete bare shunt 0x2ba58ea76110 87.108.67.176/32:0 -6-> 87.108.67.162/32:80 => %hold 0    %acquire-netlink
> Mar 10 22:41:36 usik pluto[1201]: initiate on demand from 87.108.67.176:0 to 87.108.67.162:80 proto=6 state: fos_start because: acquire
> Mar 10 22:41:36 usik pluto[1201]: | duplicating state object #1
> Mar 10 22:41:36 usik pluto[1201]: | creating state object #3 at 0x2ba58ea69850
> Mar 10 22:41:36 usik pluto[1201]: | processing connection foobar
> Mar 10 22:41:36 usik pluto[1201]: | ICOOKIE:  b8 03 da e3  d3 b8 d9 7a
> Mar 10 22:41:36 usik pluto[1201]: | RCOOKIE:  eb 2f 31 b5  c4 aa df 71
> Mar 10 22:41:36 usik pluto[1201]: | state hash entry 18
> Mar 10 22:41:36 usik pluto[1201]: | inserting state object #3 on chain 18
> Mar 10 22:41:36 usik pluto[1201]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #3
> Mar 10 22:41:36 usik pluto[1201]: | event added at head of queue
> Mar 10 22:41:36 usik pluto[1201]: | processing connection foobar
> Mar 10 22:41:36 usik pluto[1201]: "foobar" #3: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:bc3d714d proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}


-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org

More information about the Dev mailing list