[Swan-dev] IKEv2 finding an IKEv1 connection

Andrew Cagney andrew.cagney at gmail.com
Sun Jun 23 12:36:52 UTC 2019 

On Sat, 22 Jun 2019 at 09:00, Andrew Cagney <andrew.cagney at gmail.com> wrote:
>
> https://testing.libreswan.org/v3.28-214-g00f4ca6a5-master/ikev1-ikev2-connswitch-01/OUTPUT/east.pluto.log.gz
>
> The test currently core dumps as the IKEv2 code goes to use the IKE
> proposal suite but discovers it missing.  However, it seems the
> problem is it found the wrong connection:

the code was meant to use the, not exactly obvious, call:

find_next_host_connection(candidate->hp_next, req_policy,
policy_exact_mask)

note the hp_next.

> | Now let's proceed with state specific processing
> | calling processor Respond to IKE_SA_INIT
> | find_host_connection me=192.1.2.23:500 him=192.1.2.45:500
> policy=ECDSA+IKEV2_ALLOW
> | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500
> | find_next_host_connection policy=ECDSA+IKEV2_ALLOW
> | found policy =
> RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
> (westnet-eastnet2)
> | found policy =
> RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
> (westnet-eastnet1)
> | find_next_host_connection returns empty
> | find_host_connection me=192.1.2.23:500 him=%any:500 policy=ECDSA+IKEV2_ALLOW
> | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500
> | find_next_host_connection policy=ECDSA+IKEV2_ALLOW
> | find_next_host_connection returns empty
> | initial parent SA message received on 192.1.2.23:500 but no
> connection has been authorized with policy ECDSA+IKEV2_ALLOW
> | find_host_connection me=192.1.2.23:500 him=192.1.2.45:500
> policy=RSASIG+IKEV2_ALLOW
> | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500
> | find_next_host_connection policy=RSASIG+IKEV2_ALLOW
> | found policy =
> RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
> (westnet-eastnet2)
> | find_next_host_connection returns westnet-eastnet2
> | found connection: westnet-eastnet1 with policy RSASIG+IKEV2_ALLOW
> | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500
> | creating state object #3 at 0x7f92f59de518
> | State DB: adding IKEv2 state #3 in UNDEFINED
> | pstats #3 ikev2.ike started
> | Message ID: init #3: msgid=0 lastack=4294967295 nextuse=0
> lastrecv=4294967295 lastreplied=0
> | parent state #3: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA)
> | Message ID: init_ike #3; ike: initiator.sent=0->-1
> initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1
> wip.initiator=0->-1 wip.responder=0->-1
> | Message ID: start-responder #3 request 0; ike: initiator.sent=-1
> initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1
> wip.responder=-1->0
> | processing: start state #3 connection "westnet-eastnet1" 192.1.2.45
> (in initialize_new_state() at ipsec_doi.c:483)

More information about the Swan-dev mailing list