[Openswan dev] Losing shared phase1

[Paul Wouters]

On Mon, 25 Oct 2010, D. Hugh Redelmeier wrote:

> The ISAKMP SA will belong to net1 or net2, depending on which got
> initiated first.

But it would be nice if it could somehow be marked/remembered as shared, so
we can keep it when we are deleting an (arbitrary) phase2 that just happened
to have been the first to initiate and thus getting the phase1.

> My recollection is that the phase 2 will only go away (be deleted) if
> it belongs to net1.

Correct.

> I would have expected (based on very fuzzy memory) that an IKE SA
> would be negotiated whenever needed.  Perhaps sending delete isn't
> considered a need.

But that would be even worse with more nets. In our case we were doing 500
phase2s to one phase1 for benchmarking. And we'd start them using:

for i in `seq 1 500` do
   ipsec auto --up conn$i
done

Then we do the same tearing down, but then the receiving end only gets 1 Delete/Notify
because conn1 would have the phase1. If this would cause another phase1 to establish,
just to send a delete, that would be extremely bad, and result in 499 new ike
negotiations just to send Delete's.

> | Question: Should we not keep the phase1 around on the first delete?
>
> I don't think so.  Just create an IKE SA if and when needed.

That would be fine for bringing up new things, just not as good for sending notifications
about delete.

> It is possible that the IKEv2 standard mandates another model.

I think that part remains pretty similar.

> | I guess this can be difficult to determine. Perhaps that's why it was not
> | implemented?
>
> No.

Okay. So what if we would just let the phase1 linger if there was a request to --down
a tunnel, but we have shared it with another phase2?

There are more reasons this is important too. Imagine NAT-T keep alives no longer being
send because there is no phase1.

Paul