Menu
▾
▴
[Ipsec-tools-devel] [PATCH, 2nd RESEND]: Fix ph2 lookup on acquire
|
From: Patrick M. <ka...@tr...> - 2005-04-22 09:29:19
|
When an acquire message is received from the kernel, racoon looks
for an existing ph2 handle and ignores the acquire message if one
exists. It looks up the ph2 handle by policy id, which means only
a single ph2 handle can exist at a time for each policy. This is ok
for tunnel mode where only a single peer exists, but in transport
mode there can be an arbitary number,
This comment from handler.h suggests that what is really intended
is to look up the handle by (src,dst,policy id), this is what this
patch does.
/* Phase 2 handler */
/* allocated per a SA or SA bundles of a pair of peer's IP addresses. */
getph2byspid() is unused now and could possibly be removed.
To demonstrate the problem:
uml:~# setkey -DP
0.0.0.0/0[any] 10.0.0.0/24[any] any
in ipsec
esp/transport//use
created: Apr 22 09:14:41 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=200 seq=1 pid=282
refcnt=1
10.0.0.0/24[any] 0.0.0.0/0[any] any
out ipsec
esp/transport//use
created: Apr 22 09:14:41 2005 lastused: Apr 22 09:15:56 2005
lifetime: 0(s) validtime: 0(s)
spid=193 seq=0 pid=282
refcnt=3
uml:~# ping 1.2.3.4 -c 1
2005-04-22 09:15:52: DEBUG: get pfkey ACQUIRE message
...
2005-04-22 09:15:52: INFO: IPsec-SA request for 1.2.3.4 queued due to no
phase1 found.
2005-04-22 09:15:52: INFO: initiate new phase 1 negotiation:
10.0.0.1[500]<=>1.2.3.4[500]
uml:~# ping 1.2.3.5 -c 1
2005-04-22 09:15:56: DEBUG: get pfkey ACQUIRE message
2005-04-22 09:15:56: DEBUG: ignore the acquire because ph2 found
With the patch applied racoon correctly tries to establish SAs with
both peers.
|