Re: [Ipsec-tools-devel] Re: [PATCH]: Re: SA switchover

[Krzysztof Oledzki]

On Thu, 15 Dec 2005, David S. Miller wrote:

From: "David S. Miller" <[EMAIL PROTECTED]>
Date: Thu, 15 Dec 2005 17:52:54 -0800 (PST)

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 7cf48aa..25dd8f4 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c

Sorry, that patch was incomplete, please try this one instead:

It does not work. :(

192.168.0.7 - Linux
192.168.0.24 - Cisco

Tested it by running ping directly from Linux IPSec gateway:

17:31:22.830181 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x4ca5896a,seq=0x57)
17:31:22.834761 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x0a91a2ae,seq=0x57)
17:31:23.830997 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x4ca5896a,seq=0x58)
17:31:23.835811 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x0a91a2ae,seq=0x58)
17:31:24.831855 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x4ca5896a,seq=0x59)
17:31:24.836430 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x0a91a2ae,seq=0x59)
17:31:25.832692 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x4ca5896a,seq=0x5a)
17:31:25.837190 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x0a91a2ae,seq=0x5a)

New IPsec-SA was negotiated:
Dec 18 17:31:26 chochlik racoon: INFO: respond new phase 2 negotiation: 
192.168.0.7[0]<=>192.168.0.24[0]
Dec 18 17:31:26 chochlik racoon: INFO: IPsec-SA established: ESP/Tunnel 
192.168.0.24[0]->192.168.0.7[0] spi=132988380(0x7ed3ddc)
Dec 18 17:31:26 chochlik racoon: INFO: IPsec-SA established: ESP/Tunnel 
192.168.0.7[0]->192.168.0.24[0] spi=1929290090(0x72fea16a)

Cisco switched to the new SA immediately:
17:31:26.833579 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x4ca5896a,seq=0x5b)
17:31:26.838184 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x07ed3ddc,seq=0x1)
17:31:27.834389 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x4ca5896a,seq=0x5c)
17:31:27.839044 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x07ed3ddc,seq=0x2)
17:31:28.835245 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x4ca5896a,seq=0x5d)
17:31:28.839843 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x07ed3ddc,seq=0x3)
17:31:29.836088 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x4ca5896a,seq=0x5e)
17:31:29.840708 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x07ed3ddc,seq=0x4)

Executed "ip route flush cache", linux switched to the new SA:
17:31:30.837009 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x72fea16a,seq=0x1)
17:31:30.841616 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x07ed3ddc,seq=0x5)
17:31:31.837779 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x72fea16a,seq=0x2)
17:31:31.842349 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x07ed3ddc,seq=0x6)
17:31:32.838647 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x72fea16a,seq=0x3)
17:31:32.843224 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x07ed3ddc,seq=0x7)
17:31:33.839475 IP 192.168.0.7 > 192.168.0.24: ESP(spi=0x72fea16a,seq=0x4)
17:31:33.985697 IP 192.168.0.24 > 192.168.0.7: ESP(spi=0x07ed3ddc,seq=0x8)
(...)

I also added two printks to check if schedule_work is executed:

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 7cf48aa..f255e97 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -431,6 +431,9 @@ void xfrm_state_insert(struct xfrm_state
        spin_lock_bh(&xfrm_state_lock);
        __xfrm_state_insert(x);
        spin_unlock_bh(&xfrm_state_lock);
+
+ printk("Ole #1\n");
+       xfrm_state_gc_flush_bundles = 1;
+       schedule_work(&xfrm_state_gc_work);
}
EXPORT_SYMBOL(xfrm_state_insert);

@@ -478,6 +481,11 @@ out:
        spin_unlock_bh(&xfrm_state_lock);
        xfrm_state_put_afinfo(afinfo);

+       if (err == 0) {
+ printk("Ole #2\n");
+               xfrm_state_gc_flush_bundles = 1;
+               schedule_work(&xfrm_state_gc_work);
+       }
+
        if (x1) {
                xfrm_state_delete(x1);
                xfrm_state_put(x1);


At 17:31:26 kernel executed the one from xfrm_state_add() (Ole #2) but it 
didn't help. :(

Sorry, it took me so long but now I have everything ready so I can make 
more tests.

Best regards,

                        Krzysztof Olędzki