diff options
author | Thomas Egerer <thomas.egerer@secunet.com> | 2017-03-09 18:26:35 +0100 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2017-05-23 17:58:51 +0200 |
commit | d140b3bd3f7ff6f6b7bdc5202bd0dee7f39fa699 (patch) | |
tree | 1f0b03f5b19415dc9eb2a9cb4052e5089e97c9ae | |
parent | bf08e39441f54466078ca81802a7482b3e8f91a2 (diff) | |
download | strongswan-d140b3bd3f7ff6f6b7bdc5202bd0dee7f39fa699.tar.bz2 strongswan-d140b3bd3f7ff6f6b7bdc5202bd0dee7f39fa699.tar.xz |
kernel-netlink: Try to add new inbound SA if update fails
When establishing a traffic-triggered CHILD_SA involves the setup of an
IKE_SA more than one exchange is required. As a result the temporary
acquire state may have expired -- even if the acquire expiration
(xfrm_acq_expires) time is set properly (165 by default). The expire
message sent by the kernel is not processed in charon since no trap can
be found by the trap manager.
A possible solution could be to track allocated SPIs. But since this is
a corner case and the tracking introduces quite a bit of overhead, it
seems much more sensible to add a new state if the update of a state
fails with NOT_FOUND.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
-rw-r--r-- | src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 9a40927d2..6f18674fd 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1666,10 +1666,19 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } } - if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) + status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr); + if (status == NOT_FOUND && data->update) { - DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x%s", ntohl(id->spi), - markstr); + DBG1(DBG_KNL, "allocated SPI not found anymore, try to add SAD entry"); + hdr->nlmsg_type = XFRM_MSG_NEWSA; + status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr); + } + + if (status != SUCCESS) + { + DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x%s (%N)", ntohl(id->spi), + markstr, status_names, status); + status = FAILED; goto failed; } |