racoon behaviour when SA expires
Helge Oldach
helge.oldach at atosorigin.com
Wed Feb 2 01:09:40 PST 2005
Chris Cowen:
>A bit more investigation reveals that the SA is re-established but the
>SPD entries at the remote get dropped. This would explain the half duplex
>communication I am seeing with tcpdump (ping repsonses get back as far
>as the remote racoon machine and the lack of SPD means the machine can't
>route the packet back through the tunnel).
>
>I have tried applying the suggested fix in fbsd4/530, which seems to be
>a similar problem, but this doesn't make any difference, unfortunately.
The fix in that PR is incomplete. This one works for me:
--- isakmp_quick.c.orig Tue Oct 21 09:18:03 2003
+++ isakmp_quick.c Mon Apr 12 19:55:27 2004
@@ -2012,7 +2012,7 @@
/* get inbound policy */
sp_in = getsp_r(&spidx);
- if (sp_in == NULL) {
+ /* if (sp_in == NULL) */ {
if (iph2->ph1->rmconf->gen_policy) {
plog(LLV_INFO, LOCATION, NULL,
"no policy found, "
@@ -2027,9 +2027,11 @@
memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
return -2; /* special value */
}
+ else if (sp_in == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"no policy found: %s\n", spidx2str(&spidx));
return ISAKMP_INTERNAL_ERROR;
+ }
}
/* get outbound policy */
Helge
More information about the freebsd-net
mailing list