From: VANHULLEBUS Y. <va...@fr...> - 2005-07-25 07:51:38
|
On Mon, Jul 25, 2005 at 12:19:30AM +0200, Krzysztof Oledzki wrote: [....] > Attached patch solves my problem of purging valid IPsec-SAs while purging > ISAKMP-SA even if there is another valid ISAKMP-SA. In such case IPsec-SAs > are no longer purged: I find really strange that this pache solves a problem... Your patch changes purge_remote() so it now tries to find a new ph1handle for ph2handles related to the ph1handle to purge. First, purge_remote can be called only by a very limited amount of functions: - Some functions in admin.c, guess that's not your case. - purgeph1bylogin(), only on HEAD branch. - isakmp_info_recv_d(), when getting a DELETE_SA for an Isakmp_SA (is it interesting to also flush IPSecSAs when getting such a message ?) - isakmp_info_send_r_u(), when detecting a dead peer. And in such a case, we *want* to delete everything related to this peer (well, I guess that we can keep IPSec SAs if a new IsakmpSA has been negociated). Can you run with lots of debug (at least -dd), and check if you have some problems because of a DELETE_SA or because of DPD failure ? And there is another minor problem with your patch: ph2handles are binded to a ph1handle only during their negociation, so binding ph2handles to newph1 is a bad idea: - If the ph2handle is established (PHASE2ST_ESTABLISHED or PHASE2ST_EXPIRED), do nothing (do not delete it, but do NOT bind it to the new ph1handle). - If the ph2handle is still in negociation, check if it is binded to the ph1handle we are deleting. If that's the case, I guess we'll have to delete the ph2handle as well. But if we have a new ph1handle for this peer, the ph2handle is probably already binded to this new one. I'll commit a modified version of your patch today (if you can generate a new one modofied to fit my remarks, I'll commit it, or I'll find some time today to do the modifs and the commit), but I would like to have the information I asked upper, to understand why you have such a problem (by DELETE_SAs, or by DPD failure). Yvan. |