[Swan] If there is a bug in Libreswan it could be this !

Paul Wouters paul at nohats.ca
Tue Jan 22 16:33:20 EET 2013


On Tue, 22 Jan 2013, Philippe Vouters wrote:

> from, referring to the original code below:
> 
> aggr_id_and_auth(md, TRUE
>                                         , aggr_inR1_outI2_continue, kc);
> to:
> 
> aggr_id_and_auth(md, FALSE
>                                         , aggr_inR1_outI2_continue, kc);
> 
> ???
> With TRUE, Libreswan is supposed to be the initiator of the VPN connection. With FALSE, it is supposed to be the responder. Please ! Tell us whether this single change does make a
> difference.
> Best if accompanied with Libreswan traces. If it makes no difference, reset this source file to the original.
> 
> Original code:
> static stf_status
> aggr_inR1_outI2_tail(struct msg_digest *md
>                      , struct key_continuation *kc)
> {

Note that the function aggr_inR1_outI2_tail() means we are expecting
packet R1, and we will send out packet I2. R stands for responder and
I stands for initiator. Therefor, aggr_inR1_outI2_tail() should only
be called when we are the initiator, and never when we are the
responder. This function (and aggr_inR1_outI2()) are specifically setup
in the state machine to only be called when we are an initiator getting
a first response packet (R1) from the responder.

Paul


More information about the Swan mailing list