[Swan-dev] ikev2-32-nat-rw-rekey is weird

Antony Antony antony at phenome.org
Mon Nov 26 16:16:33 UTC 2018


an unestablished child state would become a new "connection" initiation (STATE_PARENT_I1) when the parent deletes. That is how #4 is created

delete_state
 flush_pending_children
  flush_pending_child
	#queue up new IKE_INIT exchange.

And #4 deletes when retransmit expires, say 60sec default. 
I think keyingtries is to supposed to keep it going, create #5 and so on.

-antony


On Mon, Nov 26, 2018 at 10:26:25AM -0500, Andrew Cagney wrote:
> The old code was doing roughly:
> 
>   #1 established as IKE SA
>   #2 established as CHILD SA
> 
> and then
> 
>  | handling event EVENT_SA_REPLACE for parent state #1
>  | #3 schedule initiate IKE Rekey SA none to replace IKE# 1
>   - can't as network is down but keeps retrying
>  | inserting event EVENT_SA_EXPIRE, timeout in 13.000 seconds for #1
>  - i.e., switch #1 from REPLACE to EXPIRE
> 
> and then
> 
>   | #1: ISAKMP SA expired (LATEST!)
>   - deletes all known children (i.e. #2, but not #3 - that's become a zombie)
>   | #1: reschedule pending child #3 STATE_V2_REKEY_IKE_I of connection
> "road-east-x509-ipv4"[1] 192.1.2.23 - the parent is going away
>   | inserting event EVENT_SA_REPLACE, timeout in 0.000 seconds for #3
>   - i.e, flips #3's event from retransmit to replace
>   - deletes itself (#3)
> 
> and this wakes up zombie #3 causing it to:
> 
>   #3: handling event EVENT_SA_REPLACE for child state
>   - creates #4 to do full re-negotiation 



>   - deletes itself
> 
> Since the new code deletes #3 (re-key state) while deleting #1
> (original IKE SA) there is no #3 zombie state to bring back from the
> dead.  Hence the connection dies.
> 
> My guess is what should happen is: the #1 EXPIRE event (clearly it
> wasn't as wakes up the zombie state #3 causing it to replace REPLACE)
> should do the replace itself.  Any thoughts.
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev


More information about the Swan-dev mailing list