[Swan] Problem with SAupdate when SA does not exist in the kernel
Paul Wouters
paul at nohats.ca
Tue Sep 24 17:34:08 EEST 2013
On Tue, 24 Sep 2013, Mattias Walström wrote:
> Sorry for the delayed reply, have had some problems with the mailserver.
>
> I have done a lot of tests, the only thing that seems to help when the
> problem occurs to reboot the initiator or restart pluto on the initator.
>
> What my patch actually does is handle the error codes from the kernel, when
> openswan fails to update an SA that (for some reason) does not exist in the
> kernel, handle the error code and insert the SA in the kernel as a new SA.
Thanks for the feedback. You are correct. The patch has been merged and
will be in libreswan 3.6.
Thanks for the explanation!
Paul
> Mattias
>
> On 09/12/2013 04:26 PM, Paul Wouters wrote:
>> On Thu, 12 Sep 2013, Mattias Walström wrote:
>>
>>> I have discovered a problem with a non-clean restart of the responder, I
>>> have 14 tunnels configured between one initiator and one responder. When I
>>> do a "killall -9 pluto" on the responder, it will force pluto to exit,
>>> without closing the connection. When pluto starts again I will get an
>>> error on the initiator for some of the tunnels (one to three tunnels will
>>> not come back up at all):
>>>
>>> Jan 5 16:46:50 i pluto[2593]: | setup_half_ipsec_sa() hit fail:
>>> Jan 5 16:46:50 i pluto[2593]: "ipsec7" #23: ERROR: netlink response for
>>> Add SA esp.17d54247 at 198.18.106.2 included errno 3: No such process
>>
>> There are some known XFRM/NETKEY issues with unclean states in the esp4
>> module when there is no proper cleanup. I believe Paul Moore fixed these
>> but its still making its way to upstream linux.
>>
>> Could you repeat the test, but after you killall -9 pluto, _also_ reboot
>> the machine?
>>
> Reboot on the responder does not help, reboot on the initiator helps, but
> that is not really a solution.
>
>>> To solve this I have made sure that update will not fail even if there has
>>> been a problem adding the SA, but I am unsure if this is a proper
>>> solution.
>>>
>>> I have seen the same problem for both libreswan 3.5 and openswan 2.6.38,
>>> but I have only tested to patch for openswan.
>>
>> So what does this do? Fool pluto into thinking the IPsec SA is up, while
>> you are leaking plaintext? I'm confused....
>>
>> Paul
>>
>>> Regards
>>> Mattias
>>>
>>> Index: openswan-2.6.38/programs/pluto/kernel_netlink.c
>>> ===================================================================
>>> --- openswan-2.6.38.orig/programs/pluto/kernel_netlink.c 2013-09-12
>>> 11:35:45.853061103 +0200
>>> +++ openswan-2.6.38/programs/pluto/kernel_netlink.c 2013-09-12
>>> 12:09:50.948600196 +0200
>>> @@ -393,6 +393,7 @@
>>> , description, text_said
>>> , -rsp.e.error
>>> , strerror(-rsp.e.error));
>>> + errno = -rsp.e.error;
>>> return FALSE;
>>> }
>>>
>>> @@ -794,6 +795,7 @@
>>> } req;
>>> struct rtattr *attr;
>>> struct aead_alg *aead;
>>> + int ret;
>>>
>>> memset(&req, 0, sizeof(req));
>>> req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
>>> @@ -990,8 +992,11 @@
>>> attr = (struct rtattr *)((char *)attr + attr->rta_len);
>>> }
>>> #endif
>>> + ret = send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said);
>>> + if (ret == FALSE && errno == ESRCH && req.n.nlmsg_type ==
>>> XFRM_MSG_UPDSA)
>>> + return netlink_add_sa(sa, 0);
>>>
>>> - return send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said);
>>> + return ret;
>>> }
>>>
>>> /** netlink_del_sa - Delete an SA from the Kernel
>>>
>>> _______________________________________________
>>> Swan mailing list
>>> Swan at lists.libreswan.org
>>> https://lists.libreswan.org/mailman/listinfo/swan
>>>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
More information about the Swan
mailing list