Project

General

Profile

Bug #1449

False Success Message by `ipsec up` When There Are e.g. Certificate Errors During Initiation

Added by Christopher Halbersma over 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Category:
libcharon
Target version:
Start date:
06.05.2016
Due date:
Estimated time:
Affected version:
5.3.5
Resolution:
Fixed

Description

When there are certificate issues from the Endpoint strong issues a line like:

sending DELETE for IKE_SA scdaol[1]

Which kills the connection. It completes and then it says:

connection '<VPN>' established successfully

I've attached the full output from an example of this.
Ideally it shouldn't report that it successfully connected
when it didn't.

I've tested this on 5.3.5 (the ubuntu 16.04 default version)
we've seen it on 5.1.2 versions do so I don't think.

false_message.txt (4.04 KB) false_message.txt Full output from an example Christopher Halbersma, 06.05.2016 01:50

Associated revisions

Revision 0a72d68e (diff)
Added by Tobias Brunner about 4 years ago

controller: Use separate callbacks to track termination and initiation of SAs

If a local authentication failure occurs in IKEv1 we delete the IKE_SA, which
we don't want the controller to detect as success.

Fixes #1449.

History

#1 Updated by Tobias Brunner over 4 years ago

  • Category set to libcharon
  • Status changed from New to Feedback
  • Target version set to 5.5.0

Looks like the code in controller_t recognizes the state change from IKE_DELETING to IKE_DESTROYING as proper termination and therefore a success, which is obviously wrong when initiating an SA.

I pushed a possible fix to the 1449-controller-terminate branch.

#2 Updated by Christopher Halbersma over 4 years ago

Tobias Brunner wrote:

Looks like the code in controller_t recognizes the state change from IKE_DELETING to IKE_DESTROYING as proper termination and therefore a success, which is obviously wrong when initiating an SA.

I pushed a possible fix to the 1449-controller-terminate branch.

Thanks Tobias. Do you know who I'd talk to at Ubuntu to get this patch in the packages there?

#3 Updated by Tobias Brunner about 4 years ago

Do you know who I'd talk to at Ubuntu to get this patch in the packages there?

Try opening a bug report on Launchpad or upstream for the Debian package.

#4 Updated by Tobias Brunner about 4 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to Fixed

#5 Updated by Tobias Brunner about 4 years ago

  • Subject changed from False Success Message When there are Certificate Errors to False Success Message by `ipsec up` When There Are e.g. Certificate Errors During Initiation

Also available in: Atom PDF