[Openswan Users] Vista Rekeying solution available yet?
Paul Wouters
paul at xelerance.com
Wed Jun 11 14:08:52 EDT 2008
On Wed, 11 Jun 2008, James wrote:
> How would i configure ipsec.conf to do that?
the workaround is a hack, not a config option. diff against 2.6.14...
Might require tweaking for 2.4.x
diff --git a/programs/pluto/ikev1_main.c b/programs/pluto/ikev1_main.c
index e7dbe4f..64a9c00 100644
--- a/programs/pluto/ikev1_main.c
+++ b/programs/pluto/ikev1_main.c
@@ -2948,11 +2948,27 @@ accept_delete(struct state *st, struct msg_digest *md, struct payload_digest *p)
}
else
{
+
+ /*
+ * attempt at workaround bug 888. If we're in STATE_QUICK_R2, and
+ * we receive a Delete AND Rekey, we will hit
+ * the passert(sr->eroute_owner == SOS_NOBODY) in state.c
+ * Workaround: don't delete IPsec SA now, let it linger
+ */
+ if(dst->st_state == STATE_QUICK_R2) {
+ loglog(RC_LOG_SERIOUS, "BUG 888 workaround triggered\n. Received and "
+ "ignored Delete SA(0x%08lx) payload: keeping IPSEC state #%lu"
+ , (unsigned long)ntohl((unsigned long)*(ipsec_spi_t *)spi)
+ , dst->st_serialno);
+ }
+ else
+ {
loglog(RC_LOG_SERIOUS, "received Delete SA(0x%08lx) payload: "
"deleting IPSEC State #%lu"
, (unsigned long)ntohl((unsigned long)*(ipsec_spi_t *)spi)
, dst->st_serialno);
delete_state(dst);
+ }
}
/* reset connection */
More information about the Users
mailing list