[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: isakmpd: phase-1 SA hangs around after DELETE received ... clients on a dial up - line down/up then reconnect fail...

To: <tech@openbsd.org>
Subject: Re: isakmpd: phase-1 SA hangs around after DELETE received ... clients on a dial up - line down/up then reconnect fail...
From: "Tariq Rashid" <tariq@inty.net>
Date: Wed, 9 Jan 2002 17:41:16 -0000

thanks Hakan for the suggestion:

	* the report from kill -USR1 to isakmpd does not produce timing values?
		its does howver have a few: "Default util_ntoa: could not make printable
address out of sockaddr 0xbfbff89c"
		is this a clue?

	* the SA number (the hex number as shown by sa_report is unchanged, the spi
is tha same).

	* monitoring the messages going to pf_key shows no new policy sa (spd)
being created when a new connection is attempted.
		(this is monitored with setkey -x on freebsd)
		as expected, querying the kernel shows all spd and sad clear and unchanged
as the received DELETE
		does successfully clear them out.

	* i notice that PGPNet sends two seperate DELETES on "disconnect"... one
for phase 2, one for phase 1?
		i tried adding this to teh source but with no success (by undoing the
phase2-only check and adding a new
		sa_delete in isakmpd. i tried in both orders phase1 then 2, phase2 then 1


ps - this is my first time doing debugging at this sort of level - its great
fun! ;)

tariq


-----Original Message-----
From: owner-tech@openbsd.org [mailto:owner-tech@openbsd.org]On Behalf Of
Hakan Olsson
Sent: 09 January 2002 11:43
To: Tariq Rashid
Cc: tech@openbsd.org
Subject: Re: isakmpd: phase-1 SA hangs around after DELETE received ...
clients on a dial up - line down/up then reconnect fail...


...
> why on earth is the SA phase-1 hanging around.... it does NOT happen with
> PGPNet 7.03 (onnecting via aggressive mode, ufqd, acquire virtual id)...

Check the timeout values for that phase-1 SA, either later on in the
report, or via the debug output, and calculate back when it was generated.
I.e is it a brand new phase-1 SA with the same data, or the old one still
hanging around?

/H

--
Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

intY has automatically scanned this email with Sophos Anti-Virus
(www.inty.net)



intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net)

References:
- Re: isakmpd: phase-1 SA hangs around after DELETE received ... clients on a dial up - line down/up then reconnect fail...
  - From: Hakan Olsson <ho@crt.se>

Prev by Date: Re: Multiuser Crypto Filesystem
Next by Date: Re: CVS: cvs.openbsd.org: src
Prev by thread: Re: isakmpd: phase-1 SA hangs around after DELETE received ... clients on a dial up - line down/up then reconnect fail...
Next by thread: 3com corporation 3c589D
Index(es):
- Date
- Thread