Re: [Ipsec-tools-devel] Re: [PATCH]: Re: SA switchover

Krzysztof Oledzki Mon, 19 Dec 2005 01:39:26 -0800


On Sun, 18 Dec 2005, David S. Miller wrote:

From: "David S. Miller" <[EMAIL PROTECTED]>
Date: Sun, 18 Dec 2005 13:20:19 -0800 (PST)

From: Krzysztof Oledzki <[EMAIL PROTECTED]>
Date: Sun, 18 Dec 2005 17:49:50 +0100 (CET)

At 17:31:26 kernel executed the one from xfrm_state_add() (Ole #2) but it
didn't help. :(


Thanks for testing, I'll try to figure out what might be going
on.


Ok, xfrm_flush_bundles() isn't pruning the bundles because they
still look valid.

We fix this by adding a xfrm_flush_all_bundles() that doesn't
do the validity check and simply flushes everything.

Please give this new version of the patch a try, thanks.

OK. With this patch kernel switches to new SA immediately, but only forping. TCP (ssh) session between Cisco and Linux is still protected by theold SA.


Tested by running two tests simultaneously:
 - "while true ; do echo -ne . ; sleep 1; done" over ssh
 - ping
Both protected by the same ipsec policy.

ssh:
10:21:58.376530 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x00648e34,seq=0x17c)
10:21:58.376856 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x1acf2fac,seq=0x17c)

ping:
10:21:58.943229 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x1acf2fac,seq=0x17d)
10:21:58.947768 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x00648e34,seq=0x17d)

ssh:
10:21:59.396334 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x00648e34,seq=0x17e)
10:21:59.396664 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x1acf2fac,seq=0x17e)

ping:
10:21:59.944079 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x1acf2fac,seq=0x17f)
10:21:59.971934 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x00648e34,seq=0x17f)

* New SA was negotiated:
Dec 19 10:22:00 chochlik racoon: INFO: IPsec-SA established: ESP/Tunnel 
192.168.0.24[0]->192.168.0.7[0] spi=228316027(0xd9bd37b)
Dec 19 10:22:00 chochlik racoon: INFO: IPsec-SA established: ESP/Tunnel 
192.168.0.7[0]->192.168.0.24[0] spi=3587656557(0xd5d74b6d)

* Cisco switched to the new SA immediately, Linux switched only partially:
ssh:
10:22:00.416215 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x0d9bd37b,seq=0x1)
10:22:00.416607 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x1acf2fac,seq=0x180)

ping:
10:22:00.944950 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0xd5d74b6d,seq=0x1)
10:22:00.949622 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x0d9bd37b,seq=0x2)

ssh:
10:22:01.436183 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x0d9bd37b,seq=0x3)
10:22:01.436523 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x1acf2fac,seq=0x181)

ping:
10:22:01.945777 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0xd5d74b6d,seq=0x2)
10:22:01.950323 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x0d9bd37b,seq=0x4)

(...)

* Executed "ip route flush cache":
ssh:
10:22:16.743559 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x0d9bd37b,seq=0x21)
10:22:16.744028 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0xd5d74b6d,seq=0x11)

ping:
10:22:16.959512 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0xd5d74b6d,seq=0x12)
10:22:16.964147 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x0d9bd37b,seq=0x22)


Best regards,


                        Krzysztof Olędzki

Re: [Ipsec-tools-devel] Re: [PATCH]: Re: SA switchover

Reply via email to