[Ipsec-tools-devel] DPD and 0.63

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I have been investigating a problem with DPD.  For my initial testing I
have VPNS setup that use FreeBSD kernels configured for NAT-T that do
not need to require NAT-T.  If I let the connection get established and
then disconnect a network cable I see DPD tear down the ISAKMP-SA and
one of the IPsec-SAs.  For my testing I was monitoring the originating
side and always saw the connection from the non-orginaating side being
removed.  

Doing some debuging I found the problem to be in purge_remote() as
called by isakmp_info_send_r_u() if a dead peer is detected.

The problem is with the following:
	/*
	 * check in/outbound SAs.
	 * Select only SAs where src == local and dst == remote (outgoing)
	 * or src == remote and dst == local (incoming).
	 */
	if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) &&
		(CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) {
		msg = next;
		continue;
	}

The macro CMPSADDR calls cmpsaddrstrict() if ENABLE_NATT is set.
In my configuration the originating IPsec-SA has a source and
destination ports of 0.  This causes the above code to skip an
IPsec-SA it should delete.  The following change to cmpsaddrstrict():
from
		if (port1 != port2)
to
                if ( port1 != 0 && port2 != 0 && port1 != port2)

fixes the DPD problem.  I am concerned that this change might break 
NAT-T.  Testing of this is next.  A possible better fix might be to
set the ports in the orginating IPsec-SA.  I havn't looked into
how difficult this would be.

Any thoughts?

Larry

-- 
------------------------------------------------------------------------
Larry Baird                        | http://www.gta.com
Global Technology Associates, Inc. | Orlando, FL
Email: la...@gt...                 | TEL 407-380-0220, FAX 407-380-6080