Re: [Ipsec-tools-devel] SAs not gettin g purged when peer goes down

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Darrel Goeddel wrote:
> 
> In the case that it should be checking phase1 ports against the encapsulation
> port of the phase2, I have included a patch below that addresses two instances
> where the change should occur.  These two changes alleviate the problems that were
> standing in my way, but I suspect that the other invocations of CMPSADDR should
> also be examined.  I'd appreciate any feedback on the approach, including the
> possibility that we are way off on what I think is/should be happening.  It may
> be that I am just confused about the way ports are being treated...  In the case
> of the latter, I'd appreciate a schooling on what racoon is doing.
> 

If I understand the problem correctly, the ports are being compared 
because there may be multiple peers behind a NAT device which share the 
same address but will have different translated ports specified. If the 
comparison is performed without the ports, you could potentially remove 
SAs that are still valid and in use.

My guess is that there is a subtle platform difference when dumping sad 
entries where BSD returns the NATT ports as part of the sadb_address 
extension and Linux returns 0 values. This would explain why the 
CMPSADDR would cause problems on Linux but not on BSD.

For what its worth, I think your patch contains the correct approach. 
I'm just wondering if this couldn't be solved at the libipsec level so 
we don't have to include multiple special cases throughout racoon. I'm 
sure Manu and Yvan will chime in as they have quite a bit more NATT 
knowhow than I do.

-Matthew