Re: [Ipsec-tools-devel] 0.6.1 release schedule

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Mon, Jul 25, 2005 at 12:19:30AM +0200, Krzysztof Oledzki wrote:
[....]
> Attached patch solves my problem of purging valid IPsec-SAs while purging 
> ISAKMP-SA even if there is another valid ISAKMP-SA. In such case IPsec-SAs 
> are no longer purged:

I find really strange that this pache solves a problem...

Your patch changes purge_remote() so it now tries to find a new
ph1handle for ph2handles related to the ph1handle to purge.

First, purge_remote can be called only by a very limited amount of
functions:

- Some functions in admin.c, guess that's not your case.

- purgeph1bylogin(), only on HEAD branch.

- isakmp_info_recv_d(), when getting a DELETE_SA for an Isakmp_SA (is
  it interesting to also flush IPSecSAs when getting such a message ?)

- isakmp_info_send_r_u(), when detecting a dead peer. And in such a
  case, we *want* to delete everything related to this peer (well, I
  guess that we can keep IPSec SAs if a new IsakmpSA has been
  negociated).

Can you run with lots of debug (at least -dd), and check if you have
some problems because of a DELETE_SA or because of DPD failure ?

And there is another minor problem with your patch: ph2handles are
binded to a ph1handle only during their negociation, so binding
ph2handles to newph1 is a bad idea:

- If the ph2handle is established (PHASE2ST_ESTABLISHED or
  PHASE2ST_EXPIRED), do nothing (do not delete it, but do NOT bind it
  to the new ph1handle).

- If the ph2handle is still in negociation, check if it is binded to
  the ph1handle we are deleting. If that's the case, I guess we'll
  have to delete the ph2handle as well. But if we have a new ph1handle
  for this peer, the ph2handle is probably already binded to this new
  one.

I'll commit a modified version of your patch today (if you can
generate a new one modofied to fit my remarks, I'll commit it, or I'll
find some time today to do the modifs and the commit), but I would
like to have the information I asked upper, to understand why you have
such a problem (by DELETE_SAs, or by DPD failure).

Yvan.