[Swan-dev] IKEv2 nhelpers == 0 failures

Antony Antony antony at phenome.org
Fri Jun 6 01:17:42 EEST 2014 

Here is a proposed patch, add timeout_event EVENT_SO_DISCARD to
STATE_PARENT_R1 with timeout value of:

MAXIMUM_RETRANSMISSIONS_INITIAL + EVENT_RETRANSMIT_DELAY_0 
The default is 30 seconds.

I am not sure what would be the optimal timout value. Any suggestions?
regards,
-antony



On Fri, May 30, 2014 at 08:59:25PM +0200, Antony Antony wrote:
> Good catch!
> 
> On Fri, May 30, 2014 at 03:34:34AM -0400, D. Hugh Redelmeier wrote:
> 
> > The fix should be that responder state transitions set an event at the 
> > limit of their patience for the next Initiator message.  What event?  
> > Probably a new one so that an appropriate message is logged "v2 responder
> > got tired of waiting for the next message and will declare failure". 
> 
> some of the SMC entries, e.g STATE_PARENT_R1,
> have timeout_event = EVENT_SA_REPLACE. So I imagined that will take care.
> 
> the timeout could be
> maximum_retransmissions_initial + event_retransmit_delay_0 * maximum_retransmissions 
> 
> -antony
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
> 
-------------- next part --------------
commit b8498744174a66f58f3a6beef27bef888496b908
Author: Antony Antony <antony at phenome.org>
Date:   Fri Jun 6 00:07:47 2014 +0200

    ikev2: STATE_PARENT_R1 add time out event EVENT_SO_DISCARD

diff --git a/programs/pluto/ikev2.c b/programs/pluto/ikev2.c
index 807c860..8e6773b 100644
--- a/programs/pluto/ikev2.c
+++ b/programs/pluto/ikev2.c
@@ -255,7 +255,8 @@ static const struct state_v2_microcode v2_state_microcode_table[] = {
 	  .flags =  /* not SMF2_INITIATOR, not SMF2_STATENEEDED */ SMF2_REPLY,
 	  .req_clear_payloads = P(SA) | P(KE) | P(Ni),
 	  .processor  = ikev2parent_inI1outR1,
-	  .recv_type  = ISAKMP_v2_SA_INIT, },
+	  .recv_type  = ISAKMP_v2_SA_INIT, 
+	  .timeout_event  =  EVENT_SO_DISCARD, },
 
 	/* STATE_PARENT_R1: I2 --> R2
 	 *                  <-- HDR, SK {IDi, [CERT,] [CERTREQ,]
@@ -1066,6 +1067,12 @@ static void success_v2_state_transition(struct msg_digest **mdp)
 			event_schedule(kind, delay, st);
 			break;
 
+		case EVENT_SO_DISCARD:
+			delete_event(st);
+			event_schedule(kind, (MAXIMUM_RETRANSMISSIONS_INITIAL + 
+						EVENT_RETRANSMIT_DELAY_0), st);
+			break;
+
 		case EVENT_NULL:
 			/* XXX: Is there really no case where we want to set no timer? */
 			/* dos_cookie is one 'valid' event, but it is used more? */

More information about the Swan-dev mailing list