[Swan] Addresspool code and "replace SA" versus "delete+add SA"
Paul Wouters
paul at nohats.ca
Mon Mar 11 02:28:37 EET 2013
When using the new rightaddresspool= option, we assign IPs for the
remote "rightsubnet" dynamically.
When the same user (as identified by phase1 / cert) comes back while it
was still connected according to the server, it will receive a new IP
address. Then because this is the same user, we call the kernel with a
"replace IPsec SA". However, our old IP for our end is different from
our new IP, and so the "replace" operation fails as it cannot find the
old SA with the new IP to replace, so we are left with the old SA, and
no new SA, while the iphone is not aware something went wrong and is
using the new IP. And traffic won't flow for this new IP.
A little bit later, the DPD code hits, and calls "delete SA" for the old
IP. And after that the client can connect again, because if it then connects
the operation is an "add" and not a "replace", since there is no old SA
left.
In the old days before addresspools, this could never happen. The old SA
and new SA for each user were always using the same endpoints (unless
you would reload that connection, which would delete the old ones)
I'm looking at changing the "replace SA" operation into a "delete SA +
add SA". Does anyone have any comments or insights to offer? I'm a
little hestitant at doing this, because for the case where the old and
new SA _is_ equal, we really should do a replace call to prevent clear
packet leaks. So perhaps it is best to add a check for that, so we can
keep using "replace SA" where possible?
Paul
More information about the Swan
mailing list