Re: [Users] Problems with selectors patch and automatic %hold eroutes

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Tue Dec 31 2002 - 12:21:04 CET

I have just run a test on a productive connection, where I use subnets
different from 0.0.0.0/0:

ipsec auto --status shows the three connections for https, imaps and icmp
from my home subnet to a remote mail server.

000 "strongsec-zhw-mail-https":
160.85.106.0/28===80.218.56.160[sna_at_zhwin.ch]:6/0---80.218.56.1...
                    160.85.139.240[@pluto.zhwin.ch]:6/443===160.85.196.15/32

000 "strongsec-zhw-mail-imaps":
160.85.106.0/28===80.218.56.160[sna_at_zhwin.ch]:6/0---80.218.56.1...
                    160.85.139.240[@pluto.zhwin.ch]:6/993===160.85.196.15/32

000 "strongsec-zhw-mail-icmp":
160.85.106.0/28===80.218.56.160[sna_at_zhwin.ch]:1/0---80.218.56.1...
                    160.85.139.240[@pluto.zhwin.ch]:1/0===160.85.196.15/32

ipsec eroute shows the corresponding outbound eroutes

3 160.85.106.0/28:0 -> 160.85.196.15/32:0 =>
                                                 tun0x125c_at_160.85.139.240:1
0 160.85.106.0/28:0 -> 160.85.196.15/32:443 =>
                                                 tun0x1262_at_160.85.139.240:6
2 160.85.106.0/28:0 -> 160.85.196.15/32:993 =>
                                                 tun0x1266_at_160.85.139.240:6

When I shut down the imaps connnection using

   ipsec auto --down strongsec-zhw-mail-imaps

a trap is set up for this IPsec SA

0 160.85.106.0/28:0 -> 160.85.196.15/32:993 => %trap:6

The log correctly shows

: "strongsec-zhw-mail-imaps" #383: deleting state (STATE_QUICK_I2)
: "strongsec-zhw-mail-imaps" #364: deleting state (STATE_QUICK_I2)

When I try to fetch mail from my IMAP account, FreeS/WAN automatically
tries to set up the connection again. Unfortunately the %hold eroute cannot
be deleted. The log shows

: ERROR: pfkey write() of SADB_X_DELFLOW message 3034 for flow %hold failed.
   Errno 14: Bad address

I will send you the same error message with debugging switch on.

It is also strange that the https connection definition gets triggered
instead of the imaps one. I suspect a bug in the selection of the
appropriate IPsec SA!

: "strongsec-zhw-mail-https" #386: initiating Quick Mode
                                           RSASIG+ENCRYPT+TUNNEL+PFS
: "strongsec-zhw-mail-https" #386: sent QI2, IPsec SA established

What remains is the %hold eroute which in this case is not a narrow
one but just the %trap converted into a %hold.

5 160.85.106.0/28:0 -> 160.85.196.15/32:993 => %hold:6

ipsec auto --status also shows a bare_shunt

000 160.85.106.4/32 -> 160.85.196.15/32 => %hold

which does not get deleted when I start up the imaps connection manually

ipsec auto --up strongsec-zhw-mail-imaps

Everything is now okay again, but with time the dead bare_shunts accumulate
and are never deleted.

Regards

Andreas

Stephen J. Bevan wrote:
> Andreas Steffen writes:
> > I have run into some serious problems with the selectors patch and %hold
> > eroutes that are automatically set up and don't get deleted correctly
> > when the matching "broad" IPsec SA comes up.
>
> Have you narrowed down what "broad" means? Clearly there is a problem
> with using 0.0.0.0/0 as an address. Is there also a problem with
> dangling %hold eroutes with other addresses? For example is it
> failing when any other subnet is used?

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Wed Jan 01 2003 - 05:21:05 CET