[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Sat Feb 20 00:05:34 UTC 2016
New commits:
commit dc436423e64e7b66c578d1e2ed77c8164144bfc2
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Feb 19 19:00:49 2016 -0500
pluto: the pending code fpr phase2 misfired for IKEv2 connections
There is an EVENT_PENDING_PHASE2 that is scheduled every 2 minutes.
It checks if there are pending IPsec SA negotiations that are waiting
for an IKE negotiation to complete. If this takes longer than 120s,
it shoots the IKE negotiation and starts a new one.
When it was looking for pending IKE negotiations, it used the macro
PHASE1_INITIATOR_STATES which did not include STATE_PARENT_I1 or
STATE_PARENT_I2. So it would never find the currently failing IKEv2
state, and call ipsec_doi to start a new one, duplicating the connections.
This meant we were duplicating failed IKEv2 negotiations every 120
seconds.
More information about the Swan-commit
mailing list