Bug #1421
Updated by Tobias Brunner over 9 years ago
I spotted that with charon (strongswan 5.3.5) the deletion of redundant CHILD_SA triggers updown events:
<pre>
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[KNL] received a XFRM_MSG_EXPIRE
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[KNL] creating rekey job for CHILD_SA ESP/0xce28dadf/10.10.2.3
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[MGR] checkout IKE_SA
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[MGR] IKE_SA peer-10.10.2.2-tunnel-vti[2] successfully checked out
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[IKE] <peer-10.10.2.2-tunnel-vti|2> deleting redundant CHILD_SA peer-10.10.2.2-tunnel-vti{15}
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[IKE] <peer-10.10.2.2-tunnel-vti|2> queueing QUICK_DELETE task
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[IKE] <peer-10.10.2.2-tunnel-vti|2> activating new tasks
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[IKE] <peer-10.10.2.2-tunnel-vti|2> activating QUICK_DELETE task
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[KNL] <peer-10.10.2.2-tunnel-vti|2> querying SAD entry with SPI ce28dadf (mark 2415919105/0xffffffff)
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 05[JOB] watcher got notification, rebuilding
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 05[JOB] watcher going to poll() 5 fds
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[KNL] <peer-10.10.2.2-tunnel-vti|2> querying SAD entry with SPI c5b8d457 (mark 2415919105/0xffffffff)
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[IKE] <peer-10.10.2.2-tunnel-vti|2> closing CHILD_SA peer-10.10.2.2-tunnel-vti{15} with SPIs ce28dadf_i (0 bytes) c5b8d457_o (1344 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0
Apr 20 10:04:41 vm-apr12vti-3 custom-updown-script[21145]: UPDOWN: down-client: 10.10.2.2 0.0.0.0/0 == 10.10.2.2 -- 10.10.2.3 == 0.0.0.0/0
</pre>
Commit commit:7f2a20a4f45dc1a1806aa4fd2ef39ce21d586ba4 70728eb1b6005fe6e400e5df3534ed7087acc380 is suppressing updown events for IKEv2. Should updown events also suppressed for IKEv1 in case of deletion of an redundant CHILD_SAs?
<pre>
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[KNL] received a XFRM_MSG_EXPIRE
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[KNL] creating rekey job for CHILD_SA ESP/0xce28dadf/10.10.2.3
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[MGR] checkout IKE_SA
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[MGR] IKE_SA peer-10.10.2.2-tunnel-vti[2] successfully checked out
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[IKE] <peer-10.10.2.2-tunnel-vti|2> deleting redundant CHILD_SA peer-10.10.2.2-tunnel-vti{15}
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[IKE] <peer-10.10.2.2-tunnel-vti|2> queueing QUICK_DELETE task
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[IKE] <peer-10.10.2.2-tunnel-vti|2> activating new tasks
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[IKE] <peer-10.10.2.2-tunnel-vti|2> activating QUICK_DELETE task
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[KNL] <peer-10.10.2.2-tunnel-vti|2> querying SAD entry with SPI ce28dadf (mark 2415919105/0xffffffff)
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 05[JOB] watcher got notification, rebuilding
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 05[JOB] watcher going to poll() 5 fds
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[KNL] <peer-10.10.2.2-tunnel-vti|2> querying SAD entry with SPI c5b8d457 (mark 2415919105/0xffffffff)
Apr 20 10:04:41 vm-apr12vti-3 charon[21015]: 08[IKE] <peer-10.10.2.2-tunnel-vti|2> closing CHILD_SA peer-10.10.2.2-tunnel-vti{15} with SPIs ce28dadf_i (0 bytes) c5b8d457_o (1344 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0
Apr 20 10:04:41 vm-apr12vti-3 custom-updown-script[21145]: UPDOWN: down-client: 10.10.2.2 0.0.0.0/0 == 10.10.2.2 -- 10.10.2.3 == 0.0.0.0/0
</pre>
Commit commit:7f2a20a4f45dc1a1806aa4fd2ef39ce21d586ba4 70728eb1b6005fe6e400e5df3534ed7087acc380 is suppressing updown events for IKEv2. Should updown events also suppressed for IKEv1 in case of deletion of an redundant CHILD_SAs?