Re: [strongSwan-dev] HA: sync issue

[Emeric POUPON]

Hello,

For your information, removing the ike sa if the configuration is missing 
solves this problem.
Since the CHILD SA are not getting installed, I don't really see any benefit to 
keep the unknown IKE SA?

diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c 
b/src/libcharon/plugins/ha/ha_dispatcher.c
index e20e872..32ed4ea 100644
--- src/libcharon/plugins/ha/ha_dispatcher.c
+++ src/libcharon/plugins/ha/ha_dispatcher.c
@@ -373,6 +373,14 @@ static void process_ike_update(private_ha_dispatcher_t 
*this,
                                else                            
                                {                               
                                        DBG1(DBG_IKE, "HA is missing nodes peer 
configuration");
+       
+                                       /* Do not manage IKE SA and further 
associated IPSEC SA
+                                        * if they are not in the configuration
+                                        */
+                                       this->cache->delete(this->cache, 
ike_sa);
+                                        
charon->ike_sa_manager->checkin_and_destroy(
+                                                                               
                charon->ike_sa_manager, ike_sa);
+                                        ike_sa = NULL;
                                }                               
                                break;                          
                        case HA_EXTENSIONS:             


Best Regards,

Emeric

----- Mail original -----
De: "Emeric POUPON" <emeric.pou...@stormshield.eu>
À: dev@lists.strongswan.org
Envoyé: Jeudi 5 Mars 2015 18:42:09
Objet: [strongSwan-dev] HA: sync issue

Hello,

I am facing another HA problem.
One segment, active/passive configuration.

I add a connection on the active node, "test2". The settings are very similar 
to the "test1" connection, only the ikelifetime parameter has been changed.
A tunnel is being negotiated successfully. On the passive node, I see things 
like that:

test1{1}:  ROUTED, TUNNEL
test1{1}:   fd00:120::/64 192.168.120.0/24 === fd00:110::/64 192.168.110.0/24 
Security Associations (0 up, 1 connecting):
   (unnamed)[1]: CONNECTING, fd56::120[C=AT, ST=TEST, L=TEST, O=TEST, OU=TEST, 
CN=FW_120, E=fw_...@fw.org]...fd56::110[C=AT, ST=TEST, L=TEST, O=TEST, OU=TEST, 
CN=FW_110, E=fw_...@fw.org]
   (unnamed)[1]: IKEv2 SPIs: ff06dd61a2486377_i 1de7b51c6b2966cb_r*
   (unnamed)[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1

If I stop charon on the passive node, the IKE SA and its related CHILD SA get 
killed on the active node.

I think it's because of this:

src/libcharon/plugins/ha/ha_ike.c:
METHOD(listener_t, ike_updown, bool,
        private_ha_ike_t *this, ike_sa_t *ike_sa, bool up)
{
        ha_message_t *m;

        if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
        {       /* only sync active IKE_SAs */
                return TRUE;
        }
...

Since the connection is not known on the passive node, the state is still set 
to CONNECTING (and not PASSIVE).
Therefore the HA IKE_DELETE message is sent and successfully processed on the 
active node.

Maybe it would make sense not to install unknown connections on the HA nodes ?
What do you think?

Best Regards,
_______________________________________________
Dev mailing list
Dev@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev
_______________________________________________
Dev mailing list
Dev@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev