[Swan-dev] a note on newoe-27-replace-sa-authnull-authnull's core dump
Andrew Cagney
andrew.cagney at gmail.com
Wed May 15 20:55:03 UTC 2019
https://testing.libreswan.org/v3.27-1219-g7142d2c37-master/newoe-27-replace-sa-authnull-authnull/OUTPUT/east.pluto.log.gz
FYI, several things go wrong. Most notably, pluto's inability to
handle an IKE_AUTH where the IKE SA succeeds but the CHILD SA fails.
- IKE_SA_INIT is exchanged
- first IKE_AUTH packet arrives:
-- IKE SA successfully authenticates; it starts constructing the
response; state is transitioned to established _but_ Message IDs are
not updated (since things are still in flux it is too early)
-- CHILD SA barfs and is deleted; the response is thrown away and the
Message IDs aren't updated
- duplicate IKE_AUTH packet arrives:
-- the duplicate isn't recognized because the Message IDs don't line up
-- state machine doesn't match as this is nonsensical
-- then the crash
I've stopped the crash with:
"private-or-clear#192.1.3.0/24"[2] ...192.1.3.209 #3: dropping message
with no matching microcode
More information about the Swan-dev
mailing list