Project

General

Profile

Bug #885

updown script isn't executed after make-before-break reauthentication

Added by Luka Logar over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
libcharon
Target version:
Start date:
11.03.2015
Due date:
Estimated time:
Affected version:
dr|rc|master
Resolution:
Fixed

Description

Hi,

I have noticed that when using make-before-break reauthentication, down script (on the reauth initiator side) doesn't get called after the successful reauthentication thus not deleting old firewall rules. I think that the problem is that SA is (falsely?) in IKE_REKEYING mode when calling ike_delete->process_i().

Best regards
Luka

Associated revisions

Revision 799f4c5d (diff)
Added by Martin Willi over 5 years ago

ikev2: Don't set old IKE_SA to REKEYING state during make-before-break reauth

We are actually not in rekeying state, but just trigger a separate, new IKE_SA
as a replacement for the current IKE_SA. Switching to the REKEYING state
disables the invocation of both IKE and CHILD_SA updown hooks as initiator,
preventing the removal of any firewall rules.

Fixes #885.

History

#1 Updated by Martin Willi over 5 years ago

  • Tracker changed from Issue to Bug
  • Category set to libcharon
  • Status changed from New to Closed
  • Assignee set to Martin Willi
  • Target version set to 5.3.0
  • Resolution set to Fixed

Hi Luka,

Thanks for your bug report. In fact do we miss the invocation of both IKE and CHILD updown hooks for re-authenticated IKE_SAs as initiator because of that IKE_REKEYING state.

Instead of switching to the REKEYING state, I think we should just keep the old IKE_SA as ESTABLISHED. This should ensure that the hooks get invoked after deleting the old SA. Implemented in master with the referenced commit.

Regards
Martin

Also available in: Atom PDF