[Openswan dev] rekey with aggr mode breaks after 8h
paul at xelerance.com
Thu May 6 13:11:55 EDT 2010
This seems like a real problem.
---------- Forwarded message ----------
Date: Thu, 06 May 2010 12:45:46 -0400
From: Avesh Agarwal <avagarwa at redhat.com>
To: Paul Wouters <paul at xelerance.com>
Subject: Re: rekey with xauth
PSK/XAUTH passwords are always in ipsec.secrets and never in NSS database.
There is no difference in non-NSS and NSS mode when using PSK/XAUTH
The exact issue I am noticing (in both NSS and non-NSS modes, with aggr and
xauth), is that current ISAKMP SA (keying channel) is #1, and current IPsec SA
(data channel) is number #2 , and "ipsec auto --status" says IPsec SA #2 is
associated with ISAKMP SA#1. Locally, I have not set any rekeying parameters,
so they are default. It seems that the server is triggering rekeying, and I
noticed that ISAKMP is rekeying around every 50 minutes or so. Due to rekeying,
ISAKMP is going from #3..to #10 (just for example). During this ISAKMP
rekeying, it does not ask for any XAUTH passwords. By now connection works
fine, data is transferred properly, and there does not seem any issue with
that. IPsec SA stays at #2 (no rekey by now), however, "ipsec auto --status"
still shows that it is associated with ISAKMP SA #1, not the current ISAMKP SA
#10. Problem occurs, when IPsec SA rekey is started after around 8hours
triggered from the server, and this time IPsec SA rekeying does not work, and
it seems to be crashing sometimes and sometimes not.
Sometimes, during ISAKMP SA rekey, it is crashing at following:
"if ((st->st_interface->ike_float == TRUE) && (st->st_tpacket.len !=1)"
in func send_packet() in file programs/pluto/server.c.
And there are some errors, that do not cause any issues:
"protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0"
Thanks and Regards
More information about the Dev