- Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors
This commit is contained in:
parent
6ce6d0ad52
commit
c052b5d629
62
libreswan-3.25-relax-delete.patch
Normal file
62
libreswan-3.25-relax-delete.patch
Normal file
@ -0,0 +1,62 @@
|
||||
diff --git a/programs/pluto/state.c b/programs/pluto/state.c
|
||||
index 7b33145..a3bcc3c 100644
|
||||
--- a/programs/pluto/state.c
|
||||
+++ b/programs/pluto/state.c
|
||||
@@ -3155,27 +3155,40 @@ void ISAKMP_SA_established(const struct state *pst)
|
||||
d = next;
|
||||
}
|
||||
|
||||
- if (c->newest_isakmp_sa != SOS_NOBODY &&
|
||||
- c->newest_isakmp_sa != pst->st_serialno) {
|
||||
- struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
|
||||
+ /*
|
||||
+ * This only affects IKEv2, since we don't store any
|
||||
+ * received INITIAL_CONTACT for IKEv1.
|
||||
+ * We don't do this on IKEv1, because it seems to
|
||||
+ * confuse various third parties (Windows, Cisco VPN 300,
|
||||
+ * and juniper
|
||||
+ * likely because this would be called before the IPsec SA
|
||||
+ * of QuickMode is installed, so the remote endpoints view
|
||||
+ * this IKE SA still as the active one?
|
||||
+ */
|
||||
+ if (pst->st_seen_initialc) {
|
||||
|
||||
- DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
|
||||
- old_p1->st_connection->name));
|
||||
- old_p1->st_suppress_del_notify = TRUE;
|
||||
- event_force(EVENT_SA_EXPIRE, old_p1);
|
||||
- }
|
||||
+ if (c->newest_isakmp_sa != SOS_NOBODY &&
|
||||
+ c->newest_isakmp_sa != pst->st_serialno) {
|
||||
+ struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
|
||||
|
||||
- if (pst->st_seen_initialc && (c->newest_ipsec_sa != SOS_NOBODY))
|
||||
- {
|
||||
- struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
|
||||
- struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
|
||||
+ DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
|
||||
+ old_p1->st_connection->name));
|
||||
+ old_p1->st_suppress_del_notify = TRUE;
|
||||
+ event_force(EVENT_SA_EXPIRE, old_p1);
|
||||
+ }
|
||||
|
||||
- if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
|
||||
+ if (c->newest_ipsec_sa != SOS_NOBODY)
|
||||
{
|
||||
- DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
|
||||
- c->newest_ipsec_sa, c->name));
|
||||
- old_p2->st_suppress_del_notify = TRUE;
|
||||
- event_force(EVENT_SA_EXPIRE, old_p2);
|
||||
+ struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
|
||||
+ struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
|
||||
+
|
||||
+ if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
|
||||
+ {
|
||||
+ DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
|
||||
+ c->newest_ipsec_sa, c->name));
|
||||
+ old_p2->st_suppress_del_notify = TRUE;
|
||||
+ event_force(EVENT_SA_EXPIRE, old_p2);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
@ -30,7 +30,7 @@ Name: libreswan
|
||||
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
|
||||
# version is generated in the release script
|
||||
Version: 3.25
|
||||
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
|
||||
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
|
||||
License: GPLv2
|
||||
Url: https://libreswan.org/
|
||||
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
|
||||
@ -39,6 +39,9 @@ Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
|
||||
Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
|
||||
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
|
||||
%endif
|
||||
|
||||
Patch1: libreswan-3.25-relax-delete.patch
|
||||
|
||||
Requires(post): bash coreutils systemd
|
||||
Requires(preun): systemd
|
||||
Requires(postun): systemd
|
||||
@ -102,6 +105,7 @@ sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev2-15-fuzzer/send_
|
||||
sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/x509/dist_certs.py
|
||||
# enable crypto-policies support
|
||||
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in
|
||||
%patch1 -p1
|
||||
|
||||
%build
|
||||
%if 0%{with_efence}
|
||||
@ -208,6 +212,9 @@ export NSS_DISABLE_HW_GCM=1
|
||||
%{_libdir}/fipscheck/pluto.hmac
|
||||
|
||||
%changelog
|
||||
* Mon Jul 02 2018 Paul Wouters <pwouters@redhat.com> - 3.25-2
|
||||
- Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors
|
||||
|
||||
* Wed Jun 27 2018 Paul Wouters <pwouters@redhat.com> - 3.25-1
|
||||
- Updated to 3.25
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user