[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Sat Feb 20 00:05:34 UTC 2016


New commits:
commit dc436423e64e7b66c578d1e2ed77c8164144bfc2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 19 19:00:49 2016 -0500

    pluto: the pending code fpr phase2 misfired for IKEv2 connections
    
    There is an EVENT_PENDING_PHASE2 that is scheduled every 2 minutes.
    It checks if there are pending IPsec SA negotiations that are waiting
    for an IKE negotiation to complete. If this takes longer than 120s,
    it shoots the IKE negotiation and starts a new one.
    
    When it was looking for pending IKE negotiations, it used the macro
    PHASE1_INITIATOR_STATES which did not include STATE_PARENT_I1 or
    STATE_PARENT_I2. So it would never find the currently failing IKEv2
    state, and call ipsec_doi to start a new one, duplicating the connections.
    
    This meant we were duplicating failed IKEv2 negotiations every 120
    seconds.



More information about the Swan-commit mailing list