From: Larry B. <la...@gt...> - 2005-12-15 13:55:13
|
I have been investigating a problem with DPD. For my initial testing I have VPNS setup that use FreeBSD kernels configured for NAT-T that do not need to require NAT-T. If I let the connection get established and then disconnect a network cable I see DPD tear down the ISAKMP-SA and one of the IPsec-SAs. For my testing I was monitoring the originating side and always saw the connection from the non-orginaating side being removed. Doing some debuging I found the problem to be in purge_remote() as called by isakmp_info_send_r_u() if a dead peer is detected. The problem is with the following: /* * check in/outbound SAs. * Select only SAs where src == local and dst == remote (outgoing) * or src == remote and dst == local (incoming). */ if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) && (CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) { msg = next; continue; } The macro CMPSADDR calls cmpsaddrstrict() if ENABLE_NATT is set. In my configuration the originating IPsec-SA has a source and destination ports of 0. This causes the above code to skip an IPsec-SA it should delete. The following change to cmpsaddrstrict(): from if (port1 != port2) to if ( port1 != 0 && port2 != 0 && port1 != port2) fixes the DPD problem. I am concerned that this change might break NAT-T. Testing of this is next. A possible better fix might be to set the ports in the orginating IPsec-SA. I havn't looked into how difficult this would be. Any thoughts? Larry -- ------------------------------------------------------------------------ Larry Baird | http://www.gta.com Global Technology Associates, Inc. | Orlando, FL Email: la...@gt... | TEL 407-380-0220, FAX 407-380-6080 |