[Swan] Problem with SAupdate when SA does not exist in the kernel

Mattias Walström lazzer at gmail.com
Tue Sep 24 13:50:47 EEST 2013


Sorry for the delayed reply, have had some problems with the mailserver.

I have done a lot of tests, the only thing that seems to help when the 
problem occurs to reboot the initiator or restart pluto on the initator.

What my patch actually does is handle the error codes from the kernel, 
when openswan fails to update an SA that (for some reason) does not 
exist in the kernel, handle the error code and insert the SA in the 
kernel as a new SA. How does this fool pluto?

Mattias

On 09/12/2013 04:26 PM, Paul Wouters wrote:
> On Thu, 12 Sep 2013, Mattias Walström wrote:
>
>> I have discovered a problem with a non-clean restart of the 
>> responder, I have 14 tunnels configured between one initiator and one 
>> responder. When I do a "killall -9 pluto" on the responder, it will 
>> force pluto to exit, without closing the connection. When pluto 
>> starts again I will get an error on the initiator for some of the 
>> tunnels (one to three tunnels will not come back up at all):
>>
>> Jan  5 16:46:50 i pluto[2593]: | setup_half_ipsec_sa() hit fail:
>> Jan  5 16:46:50 i pluto[2593]: "ipsec7" #23: ERROR: netlink response 
>> for Add SA esp.17d54247 at 198.18.106.2 included errno 3: No such process
>
> There are some known XFRM/NETKEY issues with unclean states in the esp4
> module when there is no proper cleanup. I believe Paul Moore fixed these
> but its still making its way to upstream linux.
>
> Could you repeat the test, but after you killall -9 pluto, _also_ reboot
> the machine?
>
Reboot on the responder does not help, reboot on the initiator helps, 
but that is not really a solution.

>> To solve this I have made sure that update will not fail even if 
>> there has been a problem adding the SA, but I am unsure if this is a 
>> proper solution.
>>
>> I have seen the same problem for both libreswan 3.5 and openswan 
>> 2.6.38, but I have only tested to patch for openswan.
>
> So what does this do? Fool pluto into thinking the IPsec SA is up, while
> you are leaking plaintext? I'm confused....
>
> Paul
>
>> Regards
>> Mattias
>>
>> Index: openswan-2.6.38/programs/pluto/kernel_netlink.c
>> ===================================================================
>> --- openswan-2.6.38.orig/programs/pluto/kernel_netlink.c 2013-09-12 
>> 11:35:45.853061103 +0200
>> +++ openswan-2.6.38/programs/pluto/kernel_netlink.c 2013-09-12 
>> 12:09:50.948600196 +0200
>> @@ -393,6 +393,7 @@
>>         , description, text_said
>>         , -rsp.e.error
>>         , strerror(-rsp.e.error));
>> +    errno = -rsp.e.error;
>>     return FALSE;
>>     }
>>
>> @@ -794,6 +795,7 @@
>>     } req;
>>     struct rtattr *attr;
>>     struct aead_alg *aead;
>> +    int ret;
>>
>>     memset(&req, 0, sizeof(req));
>>     req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
>> @@ -990,8 +992,11 @@
>>         attr = (struct rtattr *)((char *)attr + attr->rta_len);
>>    }
>> #endif
>> +    ret = send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said);
>> +    if (ret == FALSE && errno == ESRCH && req.n.nlmsg_type == 
>> XFRM_MSG_UPDSA)
>> +        return netlink_add_sa(sa, 0);
>>
>> -    return send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said);
>> +    return ret;
>> }
>>
>> /** netlink_del_sa - Delete an SA from the Kernel
>>
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>>



More information about the Swan mailing list