[Swan-dev] related to retransmits discussion

Paul Wouters paul at nohats.ca
Thu Mar 17 17:14:38 UTC 2016 

Looking at packet loss during XAUTH, I noticed this is related to
similar code in the state machine. The following patch fixes my
XAUTH failure with packet loss:

@@ -571,12 +571,12 @@ static const struct state_microcode
v1_state_microcode_table[] = {
         { STATE_XAUTH_I0, STATE_XAUTH_I1,
           SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2,
           P(MCFG_ATTR) | P(HASH), P(VID), PT(HASH),
-         EVENT_SA_REPLACE, xauth_inI0 },
+         EVENT_v1_RETRANSMIT, xauth_inI0 },

         { STATE_XAUTH_I1, STATE_MAIN_I4,
           SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2,
           P(MCFG_ATTR) | P(HASH), P(VID), PT(HASH),
-         EVENT_SA_REPLACE, xauth_inI1 },
+         EVENT_v1_RETRANSMIT, xauth_inI1 },


My guess it used EVENT_SA_REPLACE to replace the IKE SA? But we are not
supposed to be in this XAUTH intermediate state for 1h, so I think it is
safe to change it to EVENT_v1_RETRANSMIT.

It fixed XAUTH with packetloss for me:

002 "redhat" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '66.187.233.55'
002 "redhat" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
004 "redhat" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP1024}
003 "redhat" #1: XAUTH Message: Enter Username and Password.
040 "redhat" #1: redhat prompt for Password:
Enter passphrase: 
002 "redhat" #1: XAUTH: Answering XAUTH challenge with user='pwouters'
002 "redhat" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "redhat" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
010 "redhat" #1: STATE_XAUTH_I1: retransmission; will wait 500ms for response
010 "redhat" #1: STATE_XAUTH_I1: retransmission; will wait 1000ms for response
003 "redhat" #1: XAUTH Message: Enter Username and Password.
040 "redhat" #1: redhat prompt for Password:
Enter passphrase: 
002 "redhat" #1: XAUTH: Answering XAUTH challenge with user='pwouters'
002 "redhat" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "redhat" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "redhat" #1: XAUTH: Successfully Authenticated

(not sure if I actually mistyped my password there on the first attempt)


If anyone has a problem with this patch, let me know soon.

Paul

More information about the Swan-dev mailing list