From: Patrick M. <ka...@tr...> - 2005-04-22 09:29:19
|
When an acquire message is received from the kernel, racoon looks for an existing ph2 handle and ignores the acquire message if one exists. It looks up the ph2 handle by policy id, which means only a single ph2 handle can exist at a time for each policy. This is ok for tunnel mode where only a single peer exists, but in transport mode there can be an arbitary number, This comment from handler.h suggests that what is really intended is to look up the handle by (src,dst,policy id), this is what this patch does. /* Phase 2 handler */ /* allocated per a SA or SA bundles of a pair of peer's IP addresses. */ getph2byspid() is unused now and could possibly be removed. To demonstrate the problem: uml:~# setkey -DP 0.0.0.0/0[any] 10.0.0.0/24[any] any in ipsec esp/transport//use created: Apr 22 09:14:41 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=200 seq=1 pid=282 refcnt=1 10.0.0.0/24[any] 0.0.0.0/0[any] any out ipsec esp/transport//use created: Apr 22 09:14:41 2005 lastused: Apr 22 09:15:56 2005 lifetime: 0(s) validtime: 0(s) spid=193 seq=0 pid=282 refcnt=3 uml:~# ping 1.2.3.4 -c 1 2005-04-22 09:15:52: DEBUG: get pfkey ACQUIRE message ... 2005-04-22 09:15:52: INFO: IPsec-SA request for 1.2.3.4 queued due to no phase1 found. 2005-04-22 09:15:52: INFO: initiate new phase 1 negotiation: 10.0.0.1[500]<=>1.2.3.4[500] uml:~# ping 1.2.3.5 -c 1 2005-04-22 09:15:56: DEBUG: get pfkey ACQUIRE message 2005-04-22 09:15:56: DEBUG: ignore the acquire because ph2 found With the patch applied racoon correctly tries to establish SAs with both peers. |