[Swan-dev] IKEv2 responder rekey code is fooed
antony at phenome.org
Sun Apr 19 10:56:11 UTC 2020
Dear fellow developers.
I just noticed the IKEv2 IPsec rekey responder code has regressed beyond
recognition! too many changes after the main regression:) While trying to
figure out I notice logging and debugging lines changed too (possibly old)
some with STATE_ and other without the prefix STATE_. This make it hard to
follow the regression.
I suggest we take pause and retrace the steps. Also changing IKEv2 STATE_ is
, as I recollect, discontented issue. And I feel change has been sneaked in.
Also use of some with STATE_ and others without "STATE_" is annoying.
Main issue: rekey regression seems to started with 8abf1c415a.
currently the pattern is
child state #3: V2_CREATE_R0(established IKE SA) => V2_IPSEC_R(established CHILD SA)
that state transition for #3 seems wrong, it is not re-key transition. I
can't be sure because we have many log changes etc. But one thing is sure
#master is taking same weird code path for IKEv2 rekey responder.
Before this regression: state transition appears to do the right thing.
rekey seems to follow what is expected.
child state #3: V2_CREATE_R0(established IKE SA) => V2_REKEY_CHILD_R0(established IKE SA)
child state #3: V2_REKEY_CHILD_R0(established IKE SA) =>
V2_IPSEC_R(established CHILD SA)
2. log/debug started using short names and mixing them with long state
names. This should not happen! Please keep the state names long and
switching IKEv2 MD.ST from CHILD #3 V2_CREATE_R0 to CHILD #3 V2_CREATE_R0
In some other parts of the log it is full name.
please keep the full name.
"east" #4 complete v2 state STATE_V2_REKEY_CHILD_R0 transition with
STF_SUSPEND suspended from complete_v2_state_transition:3399
NOTE: because of changes to state names since 8abf1c415a in master you will
Apr 18 23:52:26.316312: | child state #3: V2_NEW_CHILD_R0(established IKE SA) => V2_IPSEC_R(established CHILD SA)
It should be something like STATE_V2_REKEY_CHILD_R0 => STATE_V2_IPSEC_R(established)
PS: at first glance initiator code seems ok. Again hard to say becuase of
More information about the Swan-dev