Date: Thu, 22 Jan 2004 22:53:16 +0100 (CET) From: Helge Oldach <1822661512@oldach.net> To: xelah-freebsd@xelah.com (Alex Hayward) Cc: freebsd-net@freebsd.org Subject: Re: Racoon(8) Deleting SPD Entries Message-ID: <200401222153.i0MLrGt8070644@sep.oldach.net> In-Reply-To: <Pine.LNX.4.58.0311301102000.10011@sphinx.mythic-beasts.com> from Alex Hayward at "Nov 30, 2003 11:20:19 am"
next in thread | previous in thread | raw e-mail | index | archive | help
[Yes, this is an old issue, but I have been biten by it today, googled a
bit, and here's a dirty fix]
Alex Hayward wrote on Sun Nov 30 03:20:24 2003:
> On Sat, 29 Nov 2003, Crist J. Clark wrote:
> > I am having some problems with racoon(8). Everything works fine for
> > the lifetime of the initial SA, but then things die. When the initial
> > SA is removed, racoon(8) seems to be clearing out the corresponding
> > entry in the SPD. However, when we had reached the soft timeout
> > earlier, racoon(8) had established new SAs. Since we have good SAs,
> > racoon(8) doesn't try to do new negotiations. Both ends have a good
> > SAD, but the responder no longer has SPD entries for the pair.
>
> I've come across this, too. It appears to be a bug in Racoon; I've
> submitted a bug report to KAME - bug fbsd4/530. When Racoon creates the
> security policy it gives it a timeout equal to the timeout on the SA.
> It doesn't renew this timeout when a new SA is negotiated and will only
> create a new SP if the existing SP has already timed out.
Yep. Racoon appears to check if an SP entry is already there, and since
it is (because it hasn't been expired already), it doesn't install a
fresh SP upon SA renewal.
I have simply fixed this by avoiding the "it SP already there?" check.
See the very simple-minded patch below. Yes, this will install an
additional (in fact, identical) SP, so you will see two of them during
the period when the old SA is dying and the new SA is already there, but
it appears that it works fine and doesn't harm.
Helge
--- racoon/isakmp_quick.c.ORIG Tue Oct 21 09:18:03 2003
+++ racoon/isakmp_quick.c Thu Jan 22 22:26:13 2004
@@ -2012,7 +2012,7 @@
/* get inbound policy */
sp_in = getsp_r(&spidx);
- if (sp_in == NULL) {
+ /* if (sp_in == NULL) */ {
if (iph2->ph1->rmconf->gen_policy) {
plog(LLV_INFO, LOCATION, NULL,
"no policy found, "
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200401222153.i0MLrGt8070644>