[Swan-dev] nss updates, addcon bug #86 and libreswan 3.9 release

Paul Wouters paul at nohats.ca
Wed May 28 18:21:32 EEST 2014 

On Wed, 28 May 2014, Wolfgang Nothdurft wrote:

> @Paul
> Any comment on my patch for Bug #86 
> (https://bugs.libreswan.org/show_bug.cgi?id=86) ?

That patch actually breaks things badly for me. For example, load these
connections and look at them with "ipsec status":

conn orient1
 	left=%defaultroute
 	leftnexthop=%defaultroute
 	right=8.8.8.8
 	#rightnexthop=%defaultroute

conn orient2
 	left=%defaultroute
 	#leftnexthop=%defaultroute
 	right=8.8.8.8
 	#rightnexthop=%defaultroute

conn orient3
 	left=YourPubIP
 	leftnexthop=YourGatewayIP
 	right=8.8.8.8
 	#rightnexthop=%defaultroute

conn orient4
 	left=YourPubIP
 	leftnexthop=%defaultroute
 	right=8.8.8.8
 	#rightnexthop=%defaultroute

you'll see some pretty badly mangled things in ipsec status as well as
unoriented connections. And orient4 won't even load.

000 "orient1": 8.8.8.8<8.8.8.8>...<invalid>---%any; unrouted; eroute owner: #0
000 "orient1":     unoriented; my_ip=unset; their_ip=unset;

000 "orient2": 76.10.157.69...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient2":     oriented; my_ip=unset; their_ip=unset;

000 "orient3": 76.10.157.69<76.10.157.69>---76.10.157.65...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient3":     oriented; my_ip=unset; their_ip=unset;

Only orient3 works in this case. (orient2 might work but it's not the
internal state we would want to see). Orient1 got completely mangled.

I think we should change the code in addconn.c and not run
resolve_defaultroute_one() up to four times. I think we should run it
once (two netlink calls) to get our default source ip and our default
gateway IP, and then simply look at left->addrtype and left->nexthop
and right->addrtype and right->nexthop and change the values where
appropriate.

> Are there any plans when 3.9 will be released? ;)

We are looking at fixing 3 bugs before we release. This addconn bug is
one of them. nhelpers=0 with IKEv2 is another one. Finally, a rekey bug
with IKEv2 needs to be fixed. With those three in place, we will do a
release. I really hope we can release this week or weekend :/

Paul

More information about the Swan-dev mailing list