[Swan-dev] a question on whack exit codes (libreswan-up-down.sh)

Andrew Cagney andrew.cagney at gmail.com
Mon May 7 15:53:43 UTC 2018


On 7 May 2018 at 10:33, Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 7 May 2018, Andrew Cagney wrote:
>
>> In the past, if the connection didn't come up immediately, 'ipsec auto
>> --up ${config}' would fail and the script would stop.  With recent
>> changes, that operation now succeeds and the script continues
>> executing wait-until-alive (that script runs ping, and the ping then
>> tricks east into trying to bring up the connection ....):
>
>
>> 002 "westnet-eastnet-ipv4-psk-ikev2" #4: IKE SA authentication
>> request rejected: UNSUPPORTED_CRITICAL_PAYLOAD
>
>
> This log message has the wrong RC_XXX type.
>
> Looking closer, it seems that RC_WHACK_PROBLEM is unfortunately placed
> in lswlog.h. I'll push a fix.

I don't think that helped.

>> Given the connection neither succeed nor failed, what should the exit code
>> be?
>
>
> It did fail if it really "rejected" the connection.

Here all the initiator knows is that something is wrong.

Because the other end never proved their identity, the initiator can't
trust what is coming back so it should back off for a bit and then try
again.

As an aside, all the ikev2-unknown-payload-* tests prod this area, and
highlight how inconsistent pluto is with handling this case.  Hmm,
just noticed that ikev2-unknown-payload-03-auth-sk-critical doesn't
try again :-/

Andrew


More information about the Swan-dev mailing list