Review and proposed changes to sa-expire#2
Closed
paulwouters wants to merge 238 commits intoantonyantony:sa-expirefrom
paulwouters:sa-expire-2022-01-06
Closed
Review and proposed changes to sa-expire#2paulwouters wants to merge 238 commits intoantonyantony:sa-expirefrom paulwouters:sa-expire-2022-01-06
paulwouters wants to merge 238 commits intoantonyantony:sa-expirefrom
paulwouters:sa-expire-2022-01-06
Conversation
paulwouters
commented
Jan 7, 2022
paulwouters
commented
- Fixes to not core dump IKEv1
- Consistently name option related to max values
- Split ipsec status line in ike and ipsec related options (also cuts overlong line in two)
- Add man page
- Fix failsafe_logger -> global_logger
- Pull up to main from yesterday
Wrap faccessat2 in #if SCMP_SYS(faccessat2) more libreswan#567
Wrap clone3 in #if SCMP_SYS(clone3) more libreswan#567
A regression from eliminating the reboot pool caused the per-test debug.log to contain output from multiple tests. This stops that, but also looses some of the debug output.
- in both cases use a queue of tests to run
This replaces: "testing: sanitize away the /0xffff added by f35, as in output-mark 0x4000/0xffff"
this way pexpect can provide virt-install with the PTY it so desires fixes libreswan#502
- delete f32.* files - move ubuntubase.ks to testing/libvirt/ubuntu
indexed sa_type_ike_version_names[sa_type][ike_version]
and add/use ike_version_{parent,child}_sa_names
Is "...; {ISAKMP,IKE}#N;" better? Decide after dust settles.
confusingly redundant, for instance: established IKE SA; ...; newest ISAKMP; ...
et.al. big hint of what is in the file to editors
(don't assume network has been configured)
consistent with the BSD domains
like for build and bsd domains Merge commit '39e9d5f2cfb78888371e2bc5138dc447df46d607'
(no redundant qualifier)
some IKEv[12] speak; and drop redundant info Merge commit 'ada2e8f92591b7799b73c0013c0a9f8d3c41deef'
hopefully in cronological order really need a jam_deltatime_human() function
Add SA max_bytes and max_packets support. Set soft and hard expire in xfrm SA. When kernel send soft expire message rekey the connection. When there is a hard expire, delete the related state, and Child SA. Co-developed-by: Paul Wouters <paul.wouters@aiven.io>
add support for XFRM_MSG_EXPIRE message, soft and hard expire Co-developed-by: Paul Wouters <paul.wouters@aiven.io
Delete "!" trickery for Kilo. It is not used anymore. It was used for AH and IPcomp, both are corner casses. Add support for printing KiB, GiB, TiB, PiB, EiB ISO/IEC 8000 standard Binary Prefix. Use 16E for 2^64
get_sa_info on a expired(hard) SA would fail. Shortcut that! Also when the traffic is symetric, both SAs could expire one after the other. While procssing the first hard expire the second one has alreday expired in the kernel, and netlink message is queued for the pluto to read. This case get_sa_info() on th esecond xfrm SA could generate an error, in real life this is unlikely, because traffic is not likely to be symetric? IKE delete messages could also cross over. Both ends will could send delete message? Margin + fuzzing gives priority to the initiator to expire first.
A hard expired SA is already gone. Do not send delete request to the kernel for this xfrm SA. When the traffic is symetric, both SAs will expire one after the other. While procssing the first hard expired sA the second one has alreday expired in the kernel, and netlink message is queued for the pluto. It is likely a corner case in real life, because traffic will not be symetric.
Refactor and one minor change to add_time update. add_time should not change. Only update when pluto recorded add_time is zero. When it is not non zero call pexpect.
sa_role is really IKEv2 only.
Similar to sa_ipsec_life_seconds / sa_ike_life_seconds We do want to configure maximums for IKE later as well, as that is a FIPS requirement.
split ipsec from ike into two seperate lines.
antonyantony
added a commit
that referenced
this pull request
Jul 4, 2022
ipsec trafficstatus 006 #2: "westnet-eastnet-ipv4-psk-ikev2", type=ESP, add_time=1656934549, inBytes=420, outBytes=1092, maxBytes=16EiB, id='@east' ==== tuc ==== 006 #2: "westnet-eastnet-ipv4-psk-ikev2", type=ESP, add_time=1656934549, inBytes=XXX , outBytes=XXX , maxBytes=16EiB, id='@east' when there is some loss, as expected "ipsec trafficstatus" output is would change and cause test to fail so use this one in those cases. It expect non zero traffic
antonyantony
pushed a commit
that referenced
this pull request
Nov 16, 2023
Problem #1: kvmsh.py misinterprets nsrun's output <<gmake nsrun>>'s output includes prompt text which kvmsh.py interprets as the command finishing. just log in and run manually. Problem #2: pluto doesn't start + exec /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --leak-detective + exit 2 which is apparently PLUTO_EXIT_SOCKET_FAIL
antonyantony
pushed a commit
that referenced
this pull request
Nov 16, 2023
so it ignores debug lines
antonyantony
pushed a commit
that referenced
this pull request
Feb 24, 2024
An UNROUTED connection (i.e., no Child SA) can
still have an IKE SA, just as long as that IKE SA
matches what is negotiating the connection?
For instance:
up cuckold -- #1, #2
up cuckoo -- libreswan#3 (uses #1)
down cuckold -- only deletes #2, #1 is in use
followed by:
up cuckold
will initiate the connection cuckold with IKE SA
still set to #1.
antonyantony
pushed a commit
that referenced
this pull request
Feb 24, 2024
This reverts commit 8116a49. It gets the error: ERROR: "westnet-eastnet-ikev2" #2: netlink response for Add SA esp.ea625bf@192.1.2.45: Invalid argument (errno 22) when installing the outbound SA on east and then that cascades leading to if(debug)passert(). See libreswan#1507 and libreswan#1508
antonyantony
pushed a commit
that referenced
this pull request
Feb 24, 2024
Don't log/whack: "test" #1: initiator established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '10.0.1.1' "test" #2: kernel_xfrm_policy_add() adding offload via interface ens8191f0np0 for IPsec policy, type: Packet "test" #2: kernel_xfrm_policy_add() adding offload via interface ens8191f0np0 for IPsec policy, type: Packet "test" #2: initiator established Child SA using #1; IPsec transport [10.0.1.2/32===10.0.1.1/32] {ESP/ESN=>0xd58a3176 <0x13602000 xfrm=AES_GCM_16_128-NONE DPD=passive} Instead: "test" libreswan#5: initiator established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '10.0.1.1' "test" libreswan#6: initiator established Child SA using libreswan#5; IPsec transport [10.0.1.2/32===10.0.1.1/32] {ESP/ESN=>0xe93b3bb9 <0xc212f708 xfrm=AES_GCM_16_128-NONE esp-hw-offload=packet DPD=passive} Also show this in trafficstatus: Since the new output appears as part of the ESP string before the existing comma, this shouldn't break people parsing this output. We don't yet remember the crypto in a state variable, so unfortunately this uses c->iface->nic_offload with c->config->nic_offload to determine crypto state. This should really get moved to somewhere in struct state. No output changes when no esp-hw-offload= offload is used. The kernel_xfrm_policy_add() log lines were changed to debug lines. (side note: ipsec_doi.c is badly named and its code should move elsewhere)
antonyantony
pushed a commit
that referenced
this pull request
May 23, 2024
For instance, replacing: #1: deleting established Child SA using IKE SA #2 with: #1: sending INFORMATIONAL request to delete stablished Child SA using IKE SA #2 - sending: because the delete only happens later - INFORMATIONAL: what tcpdump will, presumably, show - request vs response - using: clear which SA carries the message
antonyantony
pushed a commit
that referenced
this pull request
May 23, 2024
Don't expect: "west-east" #2: unroute-host output: Device "NULL" does not exist.
antonyantony
pushed a commit
that referenced
this pull request
Feb 17, 2025
close libreswan#1912 terminal.js things #2 ... is a comment
antonyantony
pushed a commit
that referenced
this pull request
Feb 17, 2025
close libreswan#2007 clarify "tun-out-1" #1: suppressing retransmit because IKE SA was superseded #2; drop this negotiation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.