[Swan-dev] Set keyingtries to 1 for Opportunistic Encryption connections
D. Hugh Redelmeier
hugh at mimosa.com
Thu Mar 5 23:56:34 UTC 2020
| From: Paul Wouters <paul at nohats.ca>
| On Tue, 3 Mar 2020, Paul Wouters wrote:
|
| > Current shunt handling cannot deal with this, as the second keyingtries
| > sometimes tries to install a second shunt, which sometimes “works” due to
| > not being widened. This is causing customer issues that at resolved by
| > setting it to 0.
|
| I meant "resolved by setting it to 1".
I don't really understand the issues.
Do we have a bug report for the shunt issue?
If the shunts fail, except in special cases, and those cases are
undocumented, we should
- fix the shunts issue (hard, I assume), or
- document the cases that work and forbid the others, or
- forbid OE & tries != 1 (simplest to document)
Here's an add-on to Paul's code [UNTESTED].
Since it changes starterwhack, something I'm not an expert in, the code is
particularly suspect.
It implements that last policy, I hope.
If one were to delete one line, it would only change a defaulted
keyingtries.
Why do this? Because (I hope) the error is generated in a way that is
easier for the user to observe. But I'm not even sure of that.
-------------- next part --------------
diff --git a/lib/libipsecconf/starterwhack.c b/lib/libipsecconf/starterwhack.c
index ca94639038..2a7b1def5a 100644
--- a/lib/libipsecconf/starterwhack.c
+++ b/lib/libipsecconf/starterwhack.c
@@ -551,6 +551,21 @@ static int starter_whack_basic_add_conn(struct starter_config *cfg,
msg.sa_rekey_margin = deltatime(conn->options[KNCF_REKEYMARGIN]);
msg.sa_rekey_fuzz = conn->options[KNCF_REKEYFUZZ];
msg.sa_keying_tries = conn->options[KNCF_KEYINGTRIES];
+ if (conn->policy & POLICY_OPPORTUNISTIC) {
+ /* opportunistic should default keyingries to 1 */
+ if (!conn->options_set[KNCF_KEYINGTRIES])
+ msg.sa_keying_tries = 1;
+ /*
+ * ??? Furthermore, any different value is actually an error
+ * until we straighten out shunt handling.
+ */
+ if (msg.sa_keying_tries != 1) {
+ starter_log(LOG_LEVEL_ERR,
+ "the connection is Opportunistic, but used keyingtries = %lu. The specified value was changed to 1",
+ msg.sa_keying_tries);
+ msg.sa_keying_tries = 1;
+ }
+ }
msg.sa_replay_window = conn->options[KNCF_REPLAY_WINDOW];
msg.xfrm_if_id = conn->options[KNCF_XFRM_IF_ID];
More information about the Swan-dev
mailing list