[Swan-dev] a note on newoe-27-replace-sa-authnull-authnull's core dump

Andrew Cagney andrew.cagney at gmail.com
Wed May 15 20:55:03 UTC 2019


FYI, several things go wrong.  Most notably, pluto's inability to
handle an IKE_AUTH where the IKE SA succeeds but the CHILD SA fails.

- IKE_SA_INIT is exchanged

- first IKE_AUTH packet arrives:
-- IKE SA successfully authenticates; it starts constructing the
response; state is transitioned to established _but_ Message IDs are
not updated (since things are still in flux it is too early)
-- CHILD SA barfs and is deleted; the response is thrown away and the
Message IDs aren't updated

- duplicate IKE_AUTH packet arrives:
-- the duplicate isn't recognized because the Message IDs don't line up
-- state machine doesn't match as this is nonsensical
-- then the crash

I've stopped the crash with:

"private-or-clear#"[2] ... #3: dropping message
with no matching microcode

More information about the Swan-dev mailing list