[Swan-dev] nss updates, addcon bug #86 and libreswan 3.9 release

Wolfgang Nothdurft wolfgang at linogate.de
Wed May 28 19:19:11 EEST 2014 

Am 28.05.2014 17:21, schrieb Paul Wouters:
> On Wed, 28 May 2014, Wolfgang Nothdurft wrote:
>
>> @Paul
>> Any comment on my patch for Bug #86
>> (https://bugs.libreswan.org/show_bug.cgi?id=86) ?
>
> That patch actually breaks things badly for me. For example, load these
> connections and look at them with "ipsec status":
>
> conn orient1
>      left=%defaultroute
>      leftnexthop=%defaultroute
>      right=8.8.8.8
>      #rightnexthop=%defaultroute
>
> conn orient2
>      left=%defaultroute
>      #leftnexthop=%defaultroute
>      right=8.8.8.8
>      #rightnexthop=%defaultroute
>
> conn orient3
>      left=YourPubIP
>      leftnexthop=YourGatewayIP
>      right=8.8.8.8
>      #rightnexthop=%defaultroute
>
> conn orient4
>      left=YourPubIP
>      leftnexthop=%defaultroute
>      right=8.8.8.8
>      #rightnexthop=%defaultroute
>
> you'll see some pretty badly mangled things in ipsec status as well as
> unoriented connections. And orient4 won't even load.
>
> 000 "orient1": 8.8.8.8<8.8.8.8>...<invalid>---%any; unrouted; eroute
> owner: #0
> 000 "orient1":     unoriented; my_ip=unset; their_ip=unset;
>
> 000 "orient2": 76.10.157.69...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
> 000 "orient2":     oriented; my_ip=unset; their_ip=unset;
>
> 000 "orient3":
> 76.10.157.69<76.10.157.69>---76.10.157.65...8.8.8.8<8.8.8.8>; unrouted;
> eroute owner: #0
> 000 "orient3":     oriented; my_ip=unset; their_ip=unset;
>
> Only orient3 works in this case. (orient2 might work but it's not the
> internal state we would want to see). Orient1 got completely mangled.
>
> I think we should change the code in addconn.c and not run
> resolve_defaultroute_one() up to four times. I think we should run it
> once (two netlink calls) to get our default source ip and our default
> gateway IP, and then simply look at left->addrtype and left->nexthop
> and right->addrtype and right->nexthop and change the values where
> appropriate.
>

oh, I forgot to update the patch. I added an extra check to only skip if 
right=%any.

I have uploaded it.

>> Are there any plans when 3.9 will be released? ;)
>
> We are looking at fixing 3 bugs before we release. This addconn bug is
> one of them. nhelpers=0 with IKEv2 is another one. Finally, a rekey bug
> with IKEv2 needs to be fixed. With those three in place, we will do a
> release. I really hope we can release this week or weekend :/
>
> Paul
>

That sounds good. :)


Wolfgang

More information about the Swan-dev mailing list