Hi All,
I made the following modification to our strongSwan installation (5.3.5):
+++ ./src/libcharon/processing/jobs/delete_ike_sa_job.c 2017-02-22
16:02:04.971231122 +0100
@@ -93,7 +93,7 @@
}
else
{
- DBG1(DBG_JOB, "deleting half open IKE_SA after
timeout");
+ DBG1(DBG_JOB, "deleting half open IKE_SA with
%H after timeout", ike_sa->get_other_host(ike_sa));
charon->bus->alert(charon->bus,
ALERT_HALF_OPEN_TIMEOUT);
charon->ike_sa_manager->checkin_and_destroy(
charon->ike_sa_manager, ike_sa);
It compiles, it runs, and it logs the desired information (address of the
partner) ..
But since I'm not familiar with the code, I may have introduced a bug.
So any feedback would be very welcome.
Story behind this: our Internet provider rate-limits UDP fragments (!!!) at its
peering points
(to fend off or mitigate certain attacks).
We use the Windows built-in IKEv2 capabilites which unfortunately use UDP
fragmentation
(do not support RFC 7383) and have been bitten by this rate-limiting.
Indicator for the problem are lots of "deleting half open IKE_SA after timeout"
messages
(of which we are notified, besides support calls for non working home office
VPNs).
With the patch, I hope to be able to see if it's one of "our" clients failing
to connect because
of e.g. fragments being dropped, or it's some scan attempt "from far away".
If the patch is considered useful, feel free to add it.
Best regards,
Walter
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
