Re: [Swan-dev] nss updates, addcon bug #86 and libreswan 3.9 release

Wed, 28 May 2014 08:22:37 -0700 

On Wed, 28 May 2014, Wolfgang Nothdurft wrote:


@Paul
Any comment on my patch for Bug #86 (https://bugs.libreswan.org/show_bug.cgi?id=86) ? 

That patch actually breaks things badly for me. For example, load these
connections and look at them with "ipsec status":

conn orient1
        left=%defaultroute
        leftnexthop=%defaultroute
        right=8.8.8.8
        #rightnexthop=%defaultroute

conn orient2
        left=%defaultroute
        #leftnexthop=%defaultroute
        right=8.8.8.8
        #rightnexthop=%defaultroute

conn orient3
        left=YourPubIP
        leftnexthop=YourGatewayIP
        right=8.8.8.8
        #rightnexthop=%defaultroute

conn orient4
        left=YourPubIP
        leftnexthop=%defaultroute
        right=8.8.8.8
        #rightnexthop=%defaultroute

you'll see some pretty badly mangled things in ipsec status as well as
unoriented connections. And orient4 won't even load.

000 "orient1": 8.8.8.8<8.8.8.8>...<invalid>---%any; unrouted; eroute owner: #0
000 "orient1":     unoriented; my_ip=unset; their_ip=unset;

000 "orient2": 76.10.157.69...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient2":     oriented; my_ip=unset; their_ip=unset;

000 "orient3": 76.10.157.69<76.10.157.69>---76.10.157.65...8.8.8.8<8.8.8.8>; 
unrouted; eroute owner: #0
000 "orient3":     oriented; my_ip=unset; their_ip=unset;

Only orient3 works in this case. (orient2 might work but it's not the
internal state we would want to see). Orient1 got completely mangled.

I think we should change the code in addconn.c and not run
resolve_defaultroute_one() up to four times. I think we should run it
once (two netlink calls) to get our default source ip and our default
gateway IP, and then simply look at left->addrtype and left->nexthop
and right->addrtype and right->nexthop and change the values where
appropriate.


Are there any plans when 3.9 will be released? ;)


We are looking at fixing 3 bugs before we release. This addconn bug is
one of them. nhelpers=0 with IKEv2 is another one. Finally, a rekey bug
with IKEv2 needs to be fixed. With those three in place, we will do a
release. I really hope we can release this week or weekend :/

Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev






















					Reply via email to