[Swan-dev] ikev2-32-nat-rw-rekey is weird
Andrew Cagney
andrew.cagney at gmail.com
Mon Nov 26 15:26:25 UTC 2018
The old code was doing roughly:
#1 established as IKE SA
#2 established as CHILD SA
and then
| handling event EVENT_SA_REPLACE for parent state #1
| #3 schedule initiate IKE Rekey SA none to replace IKE# 1
- can't as network is down but keeps retrying
| inserting event EVENT_SA_EXPIRE, timeout in 13.000 seconds for #1
- i.e., switch #1 from REPLACE to EXPIRE
and then
| #1: ISAKMP SA expired (LATEST!)
- deletes all known children (i.e. #2, but not #3 - that's become a zombie)
| #1: reschedule pending child #3 STATE_V2_REKEY_IKE_I of connection
"road-east-x509-ipv4"[1] 192.1.2.23 - the parent is going away
| inserting event EVENT_SA_REPLACE, timeout in 0.000 seconds for #3
- i.e, flips #3's event from retransmit to replace
- deletes itself (#3)
and this wakes up zombie #3 causing it to:
#3: handling event EVENT_SA_REPLACE for child state
- creates #4 to do full re-negotiation
- deletes itself
Since the new code deletes #3 (re-key state) while deleting #1
(original IKE SA) there is no #3 zombie state to bring back from the
dead. Hence the connection dies.
My guess is what should happen is: the #1 EXPIRE event (clearly it
wasn't as wakes up the zombie state #3 causing it to replace REPLACE)
should do the replace itself. Any thoughts.
More information about the Swan-dev
mailing list