[Openswan Users] Vista Rekeying solution available yet?

Julien DELEAN julien.delean at peer2me.com
Mon Jun 23 12:09:18 EDT 2008


Could anybody help me ? pleaaaaase :)

Julien

2008/6/19 Julien DELEAN <julien.delean at peer2me.com>:

> "I could try to write this patch but I really don't know how begin to study
> Pluto's source code. Could anybody help me ?"
>
> up...
>
> 2008/6/12 Julien DELEAN <julien.delean at peer2me.com>:
>
> I tried your patch on openswan 2.4.12 but it doesn't seem to prevent Vista
>> deconnections.
>>
>> In order to quickly provoke this behavior, I download a large file, on
>> Vista client, to reach transfer volume limitations on Windows side and to
>> force rekeying.
>>
>> I still have the same error message :
>> Jun 12 11:56:02 xxx pluto[6962]: "roadwarrior-l2tp"[1] xx.xx.xx.xx #1:
>> responding to Main Mode from unknown peer xx.xx.xx.xx
>> ...
>> Jun 12 11:56:03 xxx pluto[6962]: "roadwarrior-l2tp"[2] xx.xx.xx.xx #2:
>> STATE_QUICK_R2: IPsec SA established {ESP=>0xfb7982a1 <0xf516b8d0
>> xfrm=AES_128-HMAC_SHA1 NATD=xx.xx.xx.xx:4500 DPD=none}
>> Jun 12 12:18:18 xxx pluto[6962]: "roadwarrior-l2tp"[3] xx.xx.xx.xx #3:
>> responding to Quick Mode {msgid:02000000}
>> Jun 12 12:18:18 xxx pluto[6962]: "roadwarrior-l2tp"[3] xx.xx.xx.xx #3:
>> cannot install eroute -- it is in use for "roadwarrior-l2tp"[2] xx.xx.xx.xx
>> #2
>>
>> James, are we talking about the same problem ?
>>
>> I think that the only solution is, as you said Paul, to write a patch that
>> allows rekeys to happen to "the same ip/port as currently used". Am I right
>> ?
>>
>> I could try to write this patch but I really don't know how begin to study
>> Pluto's source code. Could anybody help me ?
>>
>> --
>> Julien
>>
>>
>>
>> 2008/6/11 Paul Wouters <paul at xelerance.com>:
>>
>> On Wed, 11 Jun 2008, James wrote:
>>>
>>>  How would i configure ipsec.conf to do that?
>>>>
>>>
>>> the workaround is a hack, not a config option. diff against 2.6.14...
>>> Might require tweaking for 2.4.x
>>>
>>> diff --git a/programs/pluto/ikev1_main.c b/programs/pluto/ikev1_main.c
>>> index e7dbe4f..64a9c00 100644
>>> --- a/programs/pluto/ikev1_main.c
>>> +++ b/programs/pluto/ikev1_main.c
>>> @@ -2948,11 +2948,27 @@ accept_delete(struct state *st, struct msg_digest
>>> *md, struct payload_digest *p)
>>>                }
>>>                else
>>>                {
>>> +
>>> +               /*
>>> +                * attempt at workaround bug 888. If we're in
>>> STATE_QUICK_R2, and
>>> +                * we receive a Delete AND Rekey, we will hit
>>> +                * the passert(sr->eroute_owner == SOS_NOBODY) in state.c
>>> +                * Workaround: don't delete IPsec SA now, let it linger
>>> +                */
>>> +                if(dst->st_state == STATE_QUICK_R2) {
>>> +                   loglog(RC_LOG_SERIOUS, "BUG 888 workaround
>>> triggered\n. Received and "
>>> +                          "ignored Delete SA(0x%08lx) payload: keeping
>>> IPSEC state #%lu"
>>> +                          , (unsigned long)ntohl((unsigned
>>> long)*(ipsec_spi_t *)spi)
>>> +                          , dst->st_serialno);
>>> +                }
>>> +                else
>>> +                {
>>>                    loglog(RC_LOG_SERIOUS, "received Delete SA(0x%08lx)
>>> payload: "
>>>                           "deleting IPSEC State #%lu"
>>>                           , (unsigned long)ntohl((unsigned
>>> long)*(ipsec_spi_t *)spi)
>>>                           , dst->st_serialno);
>>>                    delete_state(dst);
>>> +                 }
>>>                }
>>>
>>>                /* reset connection */
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080623/8d85ec57/attachment.html 


More information about the Users mailing list