- Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors

This commit is contained in:
Paul Wouters 2018-07-02 12:12:34 -04:00
parent 6ce6d0ad52
commit c052b5d629
2 changed files with 70 additions and 1 deletions

View File

@ -0,0 +1,62 @@
diff --git a/programs/pluto/state.c b/programs/pluto/state.c
index 7b33145..a3bcc3c 100644
--- a/programs/pluto/state.c
+++ b/programs/pluto/state.c
@@ -3155,27 +3155,40 @@ void ISAKMP_SA_established(const struct state *pst)
d = next;
}
- if (c->newest_isakmp_sa != SOS_NOBODY &&
- c->newest_isakmp_sa != pst->st_serialno) {
- struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
+ /*
+ * This only affects IKEv2, since we don't store any
+ * received INITIAL_CONTACT for IKEv1.
+ * We don't do this on IKEv1, because it seems to
+ * confuse various third parties (Windows, Cisco VPN 300,
+ * and juniper
+ * likely because this would be called before the IPsec SA
+ * of QuickMode is installed, so the remote endpoints view
+ * this IKE SA still as the active one?
+ */
+ if (pst->st_seen_initialc) {
- DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
- old_p1->st_connection->name));
- old_p1->st_suppress_del_notify = TRUE;
- event_force(EVENT_SA_EXPIRE, old_p1);
- }
+ if (c->newest_isakmp_sa != SOS_NOBODY &&
+ c->newest_isakmp_sa != pst->st_serialno) {
+ struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
- if (pst->st_seen_initialc && (c->newest_ipsec_sa != SOS_NOBODY))
- {
- struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
- struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
+ DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
+ old_p1->st_connection->name));
+ old_p1->st_suppress_del_notify = TRUE;
+ event_force(EVENT_SA_EXPIRE, old_p1);
+ }
- if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
+ if (c->newest_ipsec_sa != SOS_NOBODY)
{
- DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
- c->newest_ipsec_sa, c->name));
- old_p2->st_suppress_del_notify = TRUE;
- event_force(EVENT_SA_EXPIRE, old_p2);
+ struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
+ struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
+
+ if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
+ {
+ DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
+ c->newest_ipsec_sa, c->name));
+ old_p2->st_suppress_del_notify = TRUE;
+ event_force(EVENT_SA_EXPIRE, old_p2);
+ }
}
}

View File

@ -30,7 +30,7 @@ Name: libreswan
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
# version is generated in the release script
Version: 3.25
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
License: GPLv2
Url: https://libreswan.org/
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
@ -39,6 +39,9 @@ Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif
Patch1: libreswan-3.25-relax-delete.patch
Requires(post): bash coreutils systemd
Requires(preun): systemd
Requires(postun): systemd
@ -102,6 +105,7 @@ sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev2-15-fuzzer/send_
sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/x509/dist_certs.py
# enable crypto-policies support
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in
%patch1 -p1
%build
%if 0%{with_efence}
@ -208,6 +212,9 @@ export NSS_DISABLE_HW_GCM=1
%{_libdir}/fipscheck/pluto.hmac
%changelog
* Mon Jul 02 2018 Paul Wouters <pwouters@redhat.com> - 3.25-2
- Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors
* Wed Jun 27 2018 Paul Wouters <pwouters@redhat.com> - 3.25-1
- Updated to 3.25