On Tue, 28 May 2019 at 18:57, Andrew Cagney <[email protected]> wrote: > > Note the initiator=0 in these log lines: > > May 28 21:12:44 bar-host-01 pluto[27621]: | Message ID: ike > #3.PARENT_R2receiver #8.V2_IPSEC_R request 1; ike.initiator: sent=-1 > recv=-1; ike.responder: sent=0 recv=0->1; receiver.wip: initiator=0 > responder=0 > May 28 21:12:44 bar-host-01 pluto[27621]: | Message ID: ike > #3.PARENT_R2sender #8.V2_IPSEC_R response 1; ike.initiator: sent=-1 > recv=-1; ike.responder: sent=0->1 recv=1; sender.wip: initiator=0 > responder=0 > > it should have been initiator=-1 since it wasn't initiating an > exchange. This wrong value leads to: > > May 28 21:12:46 bar-host-01 pluto[27621]: | State DB: IKEv2 state > object #8 found, in STATE_V2_IPSEC_R (find_v2_sa_by_initiator_mip) > > when the search should fail. It should be fixed by: > > https://github.com/libreswan/libreswan/commit/46bac3061acc78e41cf0516c90a3390ea84def65 > > The "cause" should be: > > https://github.com/libreswan/libreswan/commit/55f09de1e95b3ff3935da17475dd77a221ff7f14 > > et.al., which removed the crutch and exposing the problem.
Also https://github.com/libreswan/libreswan/commit/046c72992e0d68e5d0dfaab8a27aa47986f05d5c which switched a lookup from requiring both .st_msgid(old) and wip.initiator(new) match just checking the new value patches. Again post 3.28. > -- > > Is there a test where the IKE initiator then adds 2 CHILD SAs? > > Andrew _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
