[Swan-dev] Set keyingtries to 1 for Opportunistic Encryption connections

Thu Mar 5 23:56:34 UTC 2020

| From: Paul Wouters <paul at nohats.ca>

| On Tue, 3 Mar 2020, Paul Wouters wrote:
| 
| > Current shunt handling cannot deal with this, as the second keyingtries
| > sometimes tries to install a second shunt, which sometimes “works” due to
| > not being widened. This is causing customer issues that at resolved by
| > setting it to 0.
| 
| I meant "resolved by setting it to 1".

I don't really understand the issues.

Do we have a bug report for the shunt issue?

If the shunts fail, except in special cases, and those cases are 
undocumented, we should

- fix the shunts issue (hard, I assume), or

- document the cases that work and forbid the others, or

- forbid OE & tries != 1 (simplest to document)

Here's an add-on to Paul's code [UNTESTED].

Since it changes starterwhack, something I'm not an expert in, the code is 
particularly suspect.

It implements that last policy, I hope.
If one were to delete one line, it would only change a defaulted 
keyingtries.

Why do this?  Because (I hope) the error is generated in a way that is 
easier for the user to observe.  But I'm not even sure of that.

-------------- next part --------------

diff --git a/lib/libipsecconf/starterwhack.c b/lib/libipsecconf/starterwhack.c
index ca94639038..2a7b1def5a 100644
--- a/lib/libipsecconf/starterwhack.c
+++ b/lib/libipsecconf/starterwhack.c
@@ -551,6 +551,21 @@ static int starter_whack_basic_add_conn(struct starter_config *cfg,
 	msg.sa_rekey_margin = deltatime(conn->options[KNCF_REKEYMARGIN]);
 	msg.sa_rekey_fuzz = conn->options[KNCF_REKEYFUZZ];
 	msg.sa_keying_tries = conn->options[KNCF_KEYINGTRIES];
+	if (conn->policy & POLICY_OPPORTUNISTIC) {
+		/* opportunistic should default keyingries to 1 */
+		if (!conn->options_set[KNCF_KEYINGTRIES])
+			msg.sa_keying_tries = 1;
+		/*
+		 * ??? Furthermore, any different value is actually an error
+		 * until we straighten out shunt handling.
+		 */
+		if (msg.sa_keying_tries != 1) {
+			starter_log(LOG_LEVEL_ERR,
+				"the connection is Opportunistic, but used keyingtries = %lu. The specified value was changed to 1",
+				msg.sa_keying_tries);
+			msg.sa_keying_tries = 1;
+		}
+	}
 	msg.sa_replay_window = conn->options[KNCF_REPLAY_WINDOW];
 	msg.xfrm_if_id = conn->options[KNCF_XFRM_IF_ID];
 
