Tobias Brunner <tob...@strongswan.org> writes: > Hi, > >> Please enable the ‘duplicheck’ plugin. This plugin is a more >> specialized form of the ‘uniqueids’ feature for detecting duplicate >> identities. This plugin is marked as stable according to the >> PluginList¹ wiki and doesn't require any additional build >> dependencies. > > I'm not sure if it's a good idea to enable this plugin. As Gerald > says it is a very specialized check for duplicate SAs. Well, perhaps > not the check itself, but certainly the behavior once a duplicate is > found. > > The problem is that if a duplicate is detected by this plugin, if the > old IKE_SA is still alive, you'll end up with no SA at all.
Yes I've ran into that myself - at one time I had a roadwarrior setup
where a host had separate IPv4 tunnel and IPv6 transport connections
using the same x509 identity. Bringing up the second connection would
tear down both.
Actually it's trouble with this particular host that got me believing
duplicheck was helping in the first place. Over time I was seeing lot's
of duplicate SA's and also hung routed connections. Sifting thru
tcpdumps I found many cases of dropped packets. The host is using an
AYIYA tunnel with MTU of 1428 while the other endopoint is using 6in4
with MTU of 1480. It looks there's a timing problem with rekeying
versus cached Path MTU discovery expiring. Lately the tunnels are
working well enough, except I still experience hiccups with interactive
ssh sessions - gut feeling is it's PMTU.
Anyway, I feel like I'm cargo-culting - best leave this plugin disabled
in the Debian package.
> I guess that's not what most users expect. This problem gets worse
> because the plugin is enabled by default:
>
>> You may want to add charon.plugins.duplicheck.enable = no to
>> strongswan.conf since this plugin is enabled by default.
>
> This is reasonable but will not help users that upgrade an existing
> installation for which they already have created a strongswan.conf
> file.
>
> Granted, enabling plugins like these by default (there are others that
> are enabled when loaded) was not a very good idea. In particular
> because we still have no decent way yet to enable/disable plugins in a
> more dynamic fashion (something like Apache's a2enmod perhaps). It
> would be great if there was a way to ship all plugins but let users
> enable them on demand (charon.load does not work very well for this).
>
> We actually considered just changing the defaults for the .enable
> options of all plugins to "no" with 5.1.0, which at least would allow
> shipping all plugins. But it would also require many users to update
> their strongswan.conf and enable plugins manually after upgrading.
> Not sure it that's any better. What is the package maintainer's point
> of view on this?
FWIW (a users perspective), that'd be great to enable most plugins by
default in upstream, I believe duplicheck is the only one that needs
strongswan.conf intervention.
I went nuts and ./configured everything except libsoup (falsely thinking
that's the “Debian Way”) when I initially contacted Yves-Alexis and
Rene, and other than additional debug noise about unconfigured plugins
failing to load, no problem has arisen. However I'm not using EAP or
TPM features at all.
00[CFG] attr-sql plugin: database URI not set
00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned
NULL
00[CFG] sql plugin: database URI not set
00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
00[CFG] mediation database URI not defined, skipped
00[LIB] plugin 'medsrv': failed to load - medsrv_plugin_create returned NULL
00[CFG] mediation client database URI not defined, skipped
00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL
00[CFG] HA config misses local/remote address
00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
00[CFG] no threshold configured for systime-fix, disabled
00[CFG] coupling file path unspecified
00[LIB] plugin 'coupling': failed to load - coupling_plugin_create returned
NULL
00[DMN] loaded plugins: charon test-vectors curl unbound ldap mysql
sqlite pkcs11 aes sha1 sha2 md5 rdrand random nonce x509 revocation
constraints pubkey pkcs1 pkcs8 pgp dnskey ipseckey pem openssl
gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr
kernel-netlink resolve socket-default farp stroke smp updown
eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc
xauth-generic xauth-eap xauth-pam tnc-pdp tnc-imc tnc-imv tnc-tnccs
tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify
certexpire systime-fix led duplicheck radattr addrblock unity
--
Gerald Turner Email: gtur...@unzane.com JID: gtur...@unzane.com
GPG: 0xFA8CD6D5 21D9 B2E8 7FE7 F19E 5F7D 4D0C 3FA0 810F FA8C D6D5
pgpAyukuWHvEP.pgp
Description: PGP signature
