On Thu, 8 Apr 2021, Ryszard Styczynski wrote:
I'm looking for IPsec state machine implemented in Libreswan. I may guess how states are correlated, but having a state machine will give me a final answer.
For IKEv1, the state machine is in programs/pluto/ikev1.c
My current question is what is a next state after STATE_QUICK_R2? Should IPsec engine wait for rekeying? How long? How many times should repeat waiting step? Should go back to STATE_MAIN and delete SA? When? I currently see i my system that: 1. STATE_QUICK_R2 may go to STATE_MAIN_R3, delete SA, and reestablish connection from Phase 1 - it happens after 15 seconds 2. STATE_QUICK_R2 may go to STATE_QUICK_R1 and process rekeying - it happens when peer responds quicker than 15 seconds How to understand why sometimes SA is deleted (what causes 5 minutes line drop), and sometimes rekeying is completed? How to control time limits?
A proper exchange looks like: paul@thinkpad:~/libreswan.git/testing/pluto/basic-pluto-01 (main=)$ grep STATE_ OUTPUT/east.pluto.log |grep transition | IKEv1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 | IKEv1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 | IKEv1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 | IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Nothing should really happen after 15 seconds, so perhaps you should show us your logs to see what is happening? Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
