Re: [strongSwan] Rekey Collisions

Thu, 31 Jul 2014 03:17:28 -0700 

Steve,

> If you cant see any problem in the log, I'll gather some more data
> next time it happens.

> 15[IKE] CHILD_SA rekey collision lost, deleting rekeyed child

> 13[IKE] CHILD_SA rekey collision won, deleting old child

That all looks like it works as expected. Each peer deletes the CHILD_SA
it should, and the peers should end up with the same rekeyed CHILD_SA.

> the SPIs of the left and right ends match at first but this morning
> they are different.

That's definitely strange. Even if the peers don't agree on the
CHILD_SAs to keep or delete, I don't see why the SAs should be out of
sync.

Did this happen during the log you provided, or can you provide a log
when this happens?

Also, I've attached a patch that adds some additional debugging to check
if we falsely lookup the CHILD_SA by the outbound SPI where this is not
intended. Just a wild guess, not sure if it is related.

> do I just accept that it will and do my best to reduce the likelihood
> of collisions 

Even if they happen, it is no issue here. Collisions get resolved just
fine every time for the many collisions I've produced. That should be
true for both 5.1.1 and 5.2.0.

Regards
Martin

diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index 2b16974..21eb33b 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -305,6 +305,7 @@ METHOD(task_t, build_i, status_t,
 			return SUCCESS;
 		}
 		/* we work only with the inbound SPI */
+		DBG1(DBG_IKE, "######## USING INBOUND SPI FOR DELETE");
 		this->spi = child_sa->get_spi(child_sa, TRUE);
 	}
 	this->child_sas->insert_last(this->child_sas, child_sa);
diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
index db87282..94d7581 100644
--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@@ -166,6 +166,7 @@ METHOD(task_t, build_i, status_t,
 			return SUCCESS;
 		}
 		/* we work only with the inbound SPI */
+		DBG1(DBG_IKE, "######## USING INBOUND SPI FOR REKEY");
 		this->spi = this->child_sa->get_spi(this->child_sa, TRUE);
 	}
 	config = this->child_sa->get_config(this->child_sa);

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to