IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] Connections not Deleted?

From: Andreas Steffen (andreas.steffen_at_strongsec.com)
Date: Tue Apr 16 2002 - 17:59:02 CEST

FreeS/WAN still ignores Delete Notification messages. Therefore
down-client is not called immediately.

D. Hugh Redelmeier from the FreeS/WAN team has presented a concept
on how to handle Delete Notifications at the beginning of April
but I don't know how far he is into actual implementation.

Regards

Andreas

Matthew Benjamin wrote:
>
> Freeswan folk (Andreas?),
>
> We're working with Freeswan 1.97 + X.509 certificates 0.9.10, with
> client of W2K, with great success.
>
> At this point, we interested in tracking activity, and I've noticed some
> odd behavior.
>
> For each peer, Freeswan sets up the appropriate SA. Also, we've noticed
> that [right/left]updown does get triggered with prepare-client,
> up-client, and route-client.
>
> However, if we delete an SA from the Windows side, Freeswan seems to get
> confused. A new SA seems to be being created on the Freeswan side when
> it should be being deleted, and further, down-client is never called.
>
> Here's a simple log snippet:
>
> Apr 16 11:02:25 monkius Pluto[14812]: "rw" 211.10.50.60 #3: responding
> to Main Mode from unknown peer 211.10.50.60
> Apr 16 11:02:25 monkius Pluto[14812]: "rw" 211.10.50.60 #3: Peer ID is
> ID_DER_ASN1_DN: 'C=US, ST=Michigan, O=Linux Box Corp, OU=Itech,
> CN=aa3.linuxbox.nu, E=info_at_linuxbox.nu'
> Apr 16 11:02:25 monkius Pluto[14812]: "rw" 211.10.50.60 #3: Next CRL
> update was expected on Jan 26 11:31:22 UTC 2002
> Apr 16 11:02:25 monkius Pluto[14812]: "rw" 211.10.50.60 #3: Next CRL
> update was expected on Jan 26 11:31:22 UTC 2002
> Apr 16 11:02:25 monkius Pluto[14812]: "rw" 211.10.50.60 #3: sent MR3,
> ISAKMP SA established
> Apr 16 11:02:25 monkius Pluto[14812]: "rw" 211.10.50.60 #4: responding
> to Quick Mode
> Apr 16 11:02:25 monkius Pluto[14812]: "rw" 211.10.50.60 #4: IPsec SA
> established
> Apr 16 11:03:22 monkius Pluto[14812]: "rw" 211.10.50.60 #3: ignoring
> Delete SA payload
> Apr 16 11:03:22 monkius Pluto[14812]: "rw" 211.10.50.60 #3: received and
> ignored informational message
> Apr 16 11:03:22 monkius Pluto[14812]: "rw" 211.10.50.60 #3: ignoring
> Delete SA payload
> Apr 16 11:03:22 monkius Pluto[14812]: "rw" 211.10.50.60 #3: received and
> ignored informational message
>
> The last part of the log snippet is what Freeswan is doing with the
> peer's attempt to shutdown...
>
> In W2K setup terms, what we have done is "un-assign" the Ipsec policy.
> I'm doubtful we could be initiating a new SA...
>
> Matt
>
> --
>
> Matt Benjamin
>
> The Linux Box
> 206 South Fifth Ave. Suite 150
> Ann Arbor, MI 48104
>
> tel. 734-761-4689
> fax. 734-769-8938
> cel. 734-216-5309
> pgr. 734-431-0118

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:52 CEST