[Swan] Problem with SAupdate when SA does not exist in the kernel

Paul Wouters pwouters at redhat.com
Thu Sep 12 17:26:05 EEST 2013 

On Thu, 12 Sep 2013, Mattias Walström wrote:

> I have discovered a problem with a non-clean restart of the responder, I have 
> 14 tunnels configured between one initiator and one responder. When I do a 
> "killall -9 pluto" on the responder, it will force pluto to exit, without 
> closing the connection. When pluto starts again I will get an error on the 
> initiator for some of the tunnels (one to three tunnels will not come back up 
> at all):
>
> Jan  5 16:46:50 i pluto[2593]: | setup_half_ipsec_sa() hit fail:
> Jan  5 16:46:50 i pluto[2593]: "ipsec7" #23: ERROR: netlink response for Add 
> SA esp.17d54247 at 198.18.106.2 included errno 3: No such process

There are some known XFRM/NETKEY issues with unclean states in the esp4
module when there is no proper cleanup. I believe Paul Moore fixed these
but its still making its way to upstream linux.

Could you repeat the test, but after you killall -9 pluto, _also_ reboot
the machine?

> To solve this I have made sure that update will not fail even if there has 
> been a problem adding the SA, but I am unsure if this is a proper solution.
>
> I have seen the same problem for both libreswan 3.5 and openswan 2.6.38, but 
> I have only tested to patch for openswan.

So what does this do? Fool pluto into thinking the IPsec SA is up, while
you are leaking plaintext? I'm confused....

Paul

> Regards
> Mattias
>
> Index: openswan-2.6.38/programs/pluto/kernel_netlink.c
> ===================================================================
> --- openswan-2.6.38.orig/programs/pluto/kernel_netlink.c 2013-09-12 
> 11:35:45.853061103 +0200
> +++ openswan-2.6.38/programs/pluto/kernel_netlink.c    2013-09-12 
> 12:09:50.948600196 +0200
> @@ -393,6 +393,7 @@
>         , description, text_said
>         , -rsp.e.error
>         , strerror(-rsp.e.error));
> +    errno = -rsp.e.error;
>     return FALSE;
>     }
>
> @@ -794,6 +795,7 @@
>     } req;
>     struct rtattr *attr;
>     struct aead_alg *aead;
> +    int ret;
>
>     memset(&req, 0, sizeof(req));
>     req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
> @@ -990,8 +992,11 @@
>         attr = (struct rtattr *)((char *)attr + attr->rta_len);
>    }
> #endif
> +    ret = send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said);
> +    if (ret == FALSE && errno == ESRCH && req.n.nlmsg_type == 
> XFRM_MSG_UPDSA)
> +        return netlink_add_sa(sa, 0);
>
> -    return send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said);
> +    return ret;
> }
>
> /** netlink_del_sa - Delete an SA from the Kernel
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>

More information about the Swan mailing list