DPD issue with multiple tunnels between two peers

Hello.

I know that DPD is supposed to be broken under certain
conditions,
especially when working with more than one connection
between two peers.

Some trouble can can be avoided by using 'restart_by_peer'
instead of
'restart' or 'hold'. (This is http://bugs
.xelerance.com/view.php?id=729)

Now we recently stumbled into the following interesting
scenario with
Openswan 1.0.x and 2.4.7. (This might be related to
http://bugs
.xelerance.com/view.php?id=452)

o Set up two VPN tunnels between two Openswan gateways, one
acting as a
  responder (does not initiate, X.509 certs and %any as
remote peer),
  the other as an initiator (with DPD set to
restart_by_peer).

o After the initiation the ISAKMP SA is shared by both IPsec
SAs.
  (Ensure that the ISAKMP SAs on both peers belong to the
same pair of
  IPsec SAs. At least that's what I did, it might not be a
requirement.)

o On the responder, terminate the connection owning the
ISAKMP SA.

o The initiator receives a Delete Notification and
terminates the ISAKMP SA
  and one of its IPsec SA within 10s. Another IPsec SA
remains active.

o Now kill the pluto daemon on the responder (SIGKILL!) and
start Pluto again
  and re-add the two connections.

  (This way the IPsec SA is removed on the receiver and the
client receives
  no Delete Notification, which is a valid behaviour as
Delete Notifications
  are not retransmitted when lost.)

o The initiator will renegotiate the connection which has no
IPsec SA.

=>

o On the initiator DPD will believe that everything is fine
because its
  ISAKMP SA is working and it has two IPsec SAs, one being
invalid.

o On the gateway one IPsec SA is missing until the next
rekeying attempt of
  the invalid IPsec SA.

>From what I saw in RFC 3706, DPD does not carry
information about the IPsec
SA which is being watched. Is that right or is this
mishandled by Openswan?

>From the logs I see that DPD is started when an IPsec SA
is established, so
I guess one would expect that it also carries information
about the IPsec SA
it is watching.

For a hotfix I solved the issue by restarting all IPsec SA
to the same peer
if on IPsec SA received a Delete Notification, which seems
to work for now.

Bye,
  Mark

-- 
Dipl.-Inf. Mark-André Hopf
Senior Software Engineer
Innominate Security Technologies AG
protecting industrial networks
tel: +49.30.6392-3284
fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin, Germany
www.innominate.com

Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Mark-Andre" == Mark-Andre
Hopf <mhopfinnominate.com> writes:
    Mark-Andre> Hello.

    Mark-Andre> I know that DPD is supposed to be broken
under certain
    Mark-Andre> conditions, especially when working with
more than one
    Mark-Andre> connection between two peers.

  Not in 2.5.xx

    Mark-Andre> Some trouble can can be avoided by using

  Some... that code was very problematic.

- -- 
]            Bear: "Me, I'm just the shape of a
bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON
   |net architect[
] mcrxelerance.com      http://www.san
delman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel
hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRnGysoCLcPvd0N1lAQJyrAf/RtGgmLTO/vbOATJ5F1jyHKGnCWdJ
HJ07
bSI264B2uN66lBEddnoCp2HtE0RYGZH9/SJ36qeiXCiIPs4+O7d4QL/fyuCH
bfwD
t5v1Yw9fydSbxZcS7j2/ZSfKOAL35wa6lYgyXZ6Pfdzp7zn69SDCJzR+jktf
Qnbt
VQhBhqADRFA4+kBZRCf20JtUCFNr4+XX1PNFy6IKzNJvd0+eaPsCoKRqsFs+
Frza
PT0x2Hx8YQeHmiET2TVJbx4Xprd/k8xgUaJ0aqFt0WzDdAgjYpeOQWlaQW8K
zgal
Ys5PO5Q/kiZSExzJIBwzNChvbiUybazkW6m3m4Xd7jtgntWzwtp6Wg==
=qMhe
-----END PGP SIGNATURE-----
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev

On Thu 14.06. 17:27, Michael Richardson wrote:
> >>>>> "Mark-Andre" ==
Mark-Andre Hopf <mhopfinnominate.com> writes:

>     Mark-Andre> I know that DPD is supposed to be
broken under certain
>     Mark-Andre> conditions, especially when working
with more than one
>     Mark-Andre> connection between two peers.
> 
>   Not in 2.5.xx

Ah! I see (pause) not. I've read the git logs and a diff to
2.4.8 but failed to
see how the issue (the restart_by_peers and the one I
reported) was solved.
I would be glad if you could give a little hint so that I
can gain some
enlightment. ;)
 
>     Mark-Andre> Some trouble can can be avoided by
using
> 
>   Some... that code was very problematic.

Was the 'restart_by_peer' option problemtatic or developing
a fix? I see
that the 2.5 tree provides only the 'restart' option.

Mark

-- 
Dipl.-Inf. Mark-André Hopf
Senior Software Engineer
Innominate Security Technologies AG
protecting industrial networks
tel: +49.30.6392-3284
fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin, Germany
www.innominate.com

Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev

>>>>> "MR" == Michael Richardson
<mcrsandelman.ottawa.on.ca> writes:

>>>>> "Mark-Andre" == Mark-Andre
Hopf <mhopfinnominate.com> writes:
Mark-Andre> Hello.

Mark-Andre> I know that DPD is supposed to be broken
under certain
Mark-Andre> conditions, especially when working with more
than one
Mark-Andre> connection between two peers.

MR>   Not in 2.5.xx

That is somewhat hard to verify when there are no snapshots
of 2.5.xx
available...


/Benny


_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev

On Fri 15.06. 16:36, Benny Amorsen wrote:
> >>>>> "MR" == Michael
Richardson <mcrsandelman.ottawa.on.ca> writes:
> 
> >>>>> "Mark-Andre" ==
Mark-Andre Hopf <mhopfinnominate.com> writes:
> Mark-Andre> Hello.
> 
> Mark-Andre> I know that DPD is supposed to be broken
under certain
> Mark-Andre> conditions, especially when working with
more than one
> Mark-Andre> connection between two peers.
> 
> MR>   Not in 2.5.xx
> 
> That is somewhat hard to verify when there are no
snapshots of 2.5.xx
> available...

The git repository lists

  v2.5.01
  v2.5.03
  v2.5.05
  v2.5.0cl8
  v2.5.0cl9
  v2.5.0dr1

But 2.5 isn't stable anyway.

Mark

-- 
Dipl.-Inf. Mark-André Hopf
Senior Software Engineer
Innominate Security Technologies AG
protecting industrial networks
tel: +49.30.6392-3284
fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin, Germany
www.innominate.com

Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev

On Fri, 15 Jun 2007, Benny Amorsen wrote:

> MR>   Not in 2.5.xx
>
> That is somewhat hard to verify when there are no
snapshots of 2.5.xx
> available...

http://
www.openswan.org/download/development/
ftp://ftp.openswan.org/openswan/development/

Paul
-- 
Building and integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev

>>>>> "PW" == Paul Wouters
<paulxelerance.com> writes:

PW> On Fri, 15 Jun 2007, Benny Amorsen wrote:
MR> Not in 2.5.xx
>>  That is somewhat hard to verify when there are no
snapshots of
>> 2.5.xx available...

PW> http://
www.openswan.org/download/development/
PW> ftp://ftp.openswan.org/openswan/development/

I do apologize. I will have to polish my Google skills and
try out 2.5
at once.


/Benny


_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev