[Openswan dev] rekey with aggr mode breaks after 8h

Paul Wouters paul at xelerance.com
Thu May 6 13:11:55 EDT 2010

This seems like a real problem.


---------- Forwarded message ----------
Date: Thu, 06 May 2010 12:45:46 -0400
From: Avesh Agarwal <avagarwa at redhat.com>
To: Paul Wouters <paul at xelerance.com>
Subject: Re: rekey with xauth


PSK/XAUTH passwords are always in ipsec.secrets and never in NSS database. 
There is no difference in non-NSS and NSS mode when using PSK/XAUTH 

The exact issue I am noticing (in both NSS and non-NSS modes, with aggr and 
xauth), is that current ISAKMP SA (keying channel) is #1, and current IPsec SA 
(data channel) is number #2 , and "ipsec auto --status" says IPsec SA #2 is 
associated with ISAKMP SA#1. Locally, I have not set any rekeying parameters, 
so they are default. It seems that the server is triggering rekeying, and I 
noticed that ISAKMP is rekeying around every 50 minutes or so. Due to rekeying, 
ISAKMP is going from #3..to #10 (just for example). During this ISAKMP 
rekeying, it does not ask for any XAUTH passwords. By now connection works 
fine, data is transferred properly, and there does not seem any issue with 
that. IPsec SA stays at #2 (no rekey by now), however, "ipsec auto --status" 
still shows that it is associated with ISAKMP SA #1, not the current ISAMKP SA 
#10. Problem occurs, when IPsec SA rekey is started after around 8hours 
triggered from the server, and this time IPsec SA rekeying does not work, and 
it seems to be crashing sometimes and sometimes not.

Sometimes, during ISAKMP SA rekey, it is crashing at following:

"if ((st->st_interface->ike_float == TRUE) && (st->st_tpacket.len !=1)"

in func send_packet() in file programs/pluto/server.c.

And there are some errors, that do not cause any issues:
"protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0"

Thanks and Regards
> Paul

More information about the Dev mailing list