[Swan-dev] state numbers in enduser output?

Andrew Cagney andrew.cagney at gmail.com
Tue Mar 5 17:55:21 EET 2024 

On Tue, 5 Mar 2024 at 10:23, Paul Wouters via Swan-dev
<swan-dev at lists.libreswan.org> wrote:
>
> On Tue, 5 Mar 2024, Andrew Cagney via Swan-commit wrote:
>
> > Date:   Mon Mar 4 20:15:11 2024 -0500
> >
> >    ikev2: drop .... and NOT sending notify
> >
> >    it's redundant and confusing vis:
> >     "west-cuckold" #4: sent INFORMATIONAL request to delete IKE SA
> >     "west-cuckold" #5: ESP traffic information: in=0B out=0B
> >    -"west-cuckold" #4: deleting IKE SA (IKE_SA_DELETE) and NOT sending notification
> >    +"west-cuckold" #4: deleting IKE SA (STATE_IKESA_DEL)
>
> I'm okay with this, but I thought we were also aiming at removing all
> state names from user output? Eg why not "+"west-cuckold" #4: deleting IKE SA"

Fair question (I wondered if the example was a little misleading).

STATE_IKESA_DEL is the state's story :-(  When it isn't bogus, it is
somewhat useful vis:

 "westnet-eastnet-k2" #1: STATE_V2_PARENT_I1: 3 second timeout
exceeded after 2 retransmits.  No response (or no acceptable response)
to our first IKEv2 message
 "westnet-eastnet-k2" #1: connection is supposed to remain up; revival
attempt 1 scheduled in 0 seconds
 "westnet-eastnet-k2" #1: IMPAIR: revival: skip scheduling revival event
-"westnet-eastnet-k2" #1: deleting IKE SA (PARENT_I1) and NOT sending
notification
+"westnet-eastnet-k2" #1: deleting IKE SA (sent IKE_SA_INIT request)

 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1: processed
IKE_SA_INIT response from 192.1.2.23:UDP/500 {cipher=AES_GCM_16_256
integ=n/a prf=HMAC_SHA2_512 group=DH19}, initiating IKE_AUTH
 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1: IKE SA
authentication request rejected by peer: AUTHENTICATION_FAILED
 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1: encountered
fatal error in state STATE_V2_PARENT_I2
-"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting IKE SA
(PARENT_I2) and NOT sending notification
+"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting IKE SA
(sent IKE_AUTH request)

but it could easily be dropped.

More information about the Swan-dev mailing list