Project

General

Profile

Issue #3323

Custom plugin needs to send INFORMATIONAL

Added by Scott Sussman 8 months ago. Updated 8 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.8.2
Resolution:

Description

I am developing a custom plugin that takes external data and packages it into an INFORMATIONAL request to the client as a custom NOTIFY type. The message is successfully created and sent but the response to the INFORMATIONAL (an empty INFORMATIONAL) is processed by the IKE task manager and fails (tearing down the IKE and Child tunnels) with the following log message:

received INFORMATIONAL response, but expected EXCHANGE_TYPE_UNDEFINED

I can't seem to find any other plugins generating there own INFORMATIONAL messages. Is this a valid implementation? If so how can I go about preventing this error from occurring and tearing down the tunnels?

The message is being generated with the following code:

message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
message->set_message_id(message, msg_id);
host = ike_sa->get_my_host(ike_sa);
message->set_source(message, host->clone(host));
host = ike_sa->get_other_host(ike_sa);
message->set_destination(message, host->clone(host));
message->set_exchange_type(message, INFORMATIONAL);
message->set_request(message, TRUE);
message->add_payload(message, (payload_t*)notify);
if (ike_sa->generate_message(ike_sa, message,&packet) == SUCCESS) {
charon->sender->send(charon->sender, packet);
}
message->destroy(message);

thanks,

Scott

History

#1 Updated by Tobias Brunner 8 months ago

  • Status changed from New to Feedback

You can't just send a message like that to initiate an exchange, you'll mess up the state machine. If you want to send an INFORMATIONAL, initiate a DPD exchange (via task_manager_t::queue_dpd) and use the message hook (listener_t::message) to attach whatever notify you want to the unencrypted outbound message.

#2 Updated by Scott Sussman 8 months ago

Thanks Tobias,

You say to init a DPD exchange via task_manager_t::queue_dpd but only the ike_sa can access the task_manager. Looking at ike_sa code I see that there is a send_dpd routine I can call but that is not reliable since it may decide not to queue a dpd if the delay is not exhausted from the last message exchange. Is there a way to access the task_manager to directly call the queue_dpd function that I am not seeing or to guarentee the DPD will be sent from the ike_sa call?

thanks again,

Scott

#3 Updated by Tobias Brunner 8 months ago

You say to init a DPD exchange via task_manager_t::queue_dpd but only the ike_sa can access the task_manager.

True, then just queue an ike_dpd_t task via ike_sa_t::queue_task manually.

#4 Updated by Scott Sussman 8 months ago

This works, thanks!

Also available in: Atom PDF