charon-tkm: Call esa_reset() when the inbound SA is deleted

After a rekeying the outbound SA and policy is deleted immediately, however, the inbound SA is not removed until a few seconds later, so delayed packets can still be processed. This adds a flag to get_esa_id() that specifies the location of the given SPI.
author: Tobias Brunner <tobias@strongswan.org> 2017-08-04 14:02:42 +0200
committer: Tobias Brunner <tobias@strongswan.org> 2017-08-07 10:46:00 +0200
commit: 772957778ccf1705e2d0bcf62203a1abb041b6ff (patch)
tree: 2bdeb6c5ff401e6b102ee00842ff737c39392578 /testing/tests
parent: dbaeaaf6057fcdff397765a317b6eadf751acac1 (diff)
download: strongswan-772957778ccf1705e2d0bcf62203a1abb041b6ff.tar.bz2
strongswan-772957778ccf1705e2d0bcf62203a1abb041b6ff.tar.xz
6 files changed, 19 insertions, 7 deletions
diff --git a/testing/tests/tkm/xfrmproxy-expire/evaltest.dat b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat
index 05bf42057..a3f45871c 100644
--- a/testing/tests/tkm/xfrmproxy-expire/evaltest.dat
+++ b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat
@@ -2,20 +2,24 @@ moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.
 sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
 sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::sleep 2::wait for rekeying::NO
 moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES
 moon::cat /var/log/daemon.log::ees: expire received for reqid 1, spi.*, dst 192.168.0.2::YES
 moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES
+moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::NO
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::sleep 2::wait until inbound SA is deleted::NO
 moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
 moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
 moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
 moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
 moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
 moon::cat /tmp/tkm.log::Creating first new ESA context with ID 1 (Isa 1, Sp 1, Ea 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
 moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 1, Sp 1, Ea 1, Dh_Id 1, Nc_Loc_Id 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
-moon::cat /tmp/tkm.log | grep 'Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 2, hard 60 \]' | wc -l::2::YES
+moon::cat /tmp/tkm.log | grep 'Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 4, hard 60 \]' | wc -l::2::YES
 moon::cat /tmp/tkm.log::Resetting ESA context 1::YES
 moon::cat /tmp/tkm.log::Deleting ESA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES
 moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf
index cc9d6e072..5b79af9f4 100644
--- a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,8 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon-tkm {
+  # remove rekeyed inbound SA a bit quicker for the test scenario
+  delete_rekeyed_delay = 2
   dh_mapping {
     15 = 1
     16 = 2
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf
index 23e958ab0..62b103a80 100644
--- a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf
@@ -14,7 +14,7 @@
             <ip>192.168.0.2</ip>
         </remote>
         <lifetime>
-            <soft>2</soft>
+            <soft>4</soft>
             <hard>60</hard>
         </lifetime>
     </policy>
diff --git a/testing/tests/tkm/xfrmproxy-rekey/evaltest.dat b/testing/tests/tkm/xfrmproxy-rekey/evaltest.dat
index 328b4854b..15bdf3b39 100644
--- a/testing/tests/tkm/xfrmproxy-rekey/evaltest.dat
+++ b/testing/tests/tkm/xfrmproxy-rekey/evaltest.dat
@@ -2,11 +2,15 @@ moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.
 sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
 sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::sleep 2::wait for rekeying::NO
+sun::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES
 moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-sun::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES
+moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::NO
+moon::sleep 2::wait until inbound SA is deleted::NO
 moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
 moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
 moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
 moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/strongswan.conf
index cc9d6e072..5b79af9f4 100644
--- a/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,8 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon-tkm {
+  # remove rekeyed inbound SA a bit quicker for the test scenario
+  delete_rekeyed_delay = 2
   dh_mapping {
     15 = 1
     16 = 2
diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/ipsec.conf
index 99ffb301e..9dc641240 100644
--- a/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/ipsec.conf
@@ -5,7 +5,7 @@ config setup
 conn %default
 	ikelifetime=60m
 	keylife=10s
-	rekeymargin=8s
+	rekeymargin=6s
 	rekeyfuzz=0%
 	keyingtries=1
 	keyexchange=ikev2
author	Tobias Brunner <tobias@strongswan.org>	2017-08-04 14:02:42 +0200
committer	Tobias Brunner <tobias@strongswan.org>	2017-08-07 10:46:00 +0200
commit	772957778ccf1705e2d0bcf62203a1abb041b6ff (patch)
tree	2bdeb6c5ff401e6b102ee00842ff737c39392578 /testing/tests
parent	dbaeaaf6057fcdff397765a317b6eadf751acac1 (diff)
download	strongswan-772957778ccf1705e2d0bcf62203a1abb041b6ff.tar.bz2 strongswan-772957778ccf1705e2d0bcf62203a1abb041b6ff.tar.xz