[Swan] Libreswan state machine. What to do after STATE_QUICK_R2?

[Paul Wouters]

On Thu, 8 Apr 2021, Ryszard Styczynski wrote:

> I'm looking for IPsec state machine implemented in Libreswan. I may guess how states are correlated, but having a state machine will give me a final answer.

For IKEv1, the state machine is in programs/pluto/ikev1.c

> My current question is what is a next state after STATE_QUICK_R2? Should IPsec engine wait for rekeying? How long? How many times should repeat waiting step? Should go back to STATE_MAIN and delete SA? When?
>
> I currently see i my system that:
> 1. STATE_QUICK_R2 may go to STATE_MAIN_R3, delete SA, and reestablish connection from Phase 1 - it happens after 15 seconds
> 2. STATE_QUICK_R2 may go to STATE_QUICK_R1 and process rekeying - it happens when peer responds quicker than 15 seconds
>
> How to understand why sometimes SA is deleted (what causes 5 minutes line drop), and sometimes rekeying is completed? How to control time limits?

A proper exchange looks like:

paul at thinkpad:~/libreswan.git/testing/pluto/basic-pluto-01 (main=)$ grep STATE_ OUTPUT/east.pluto.log  |grep transition
| IKEv1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
| IKEv1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
| IKEv1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
| IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
| IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Nothing should really happen after 15 seconds, so perhaps you should
show us your logs to see what is happening?

Paul