New commits:
commit 8cf8b4d57a2d7ed01138119fe7c3df70d87c1877
Merge: e856bedb55 f578c4a4e3
Author: Andrew Cagney <[email protected]>
Date: Thu Jun 19 11:18:20 2025 -0400
Merge connections: better handle crossing-stream's double-crossed IKE SA
(for want of a better term)
Given an established IKE SA + Child SA for a connection ("a"), a
double-cross happens when the PEER initiates a new IKE SA for that
same connection ("a") but with a Child SA for some different
connection ("b"). The result is:
- IKE SA "a" #1 while established isn't "a" established IKE SA
- Child SA "a" #2 is both established and "a"'s established Child SA
- IKE SA "a" #3 is both established and "a"'s established IKE SA
- Child SA "b" #2 is both established and "b"'s established Child SA
close #2101 ipsec delete: EXPECTATION FAILED: ike == ((void *)0)
close #2305 check that when a connection gets a new IKE SA, is the old one
is viable=false
see also #2123 Expect no IKE only for orphan child
commit f578c4a4e339f4d45ce8e1bcda798452e578b97a
Author: Andrew Cagney <[email protected]>
Date: Thu Jun 19 11:17:35 2025 -0400
CHANGES: IKEv2: fix PEXPECT when deleting crossed IKE SA
Andrew, Ilya Maximets #2101, Ondrej Moris #2123
commit 6db963f50df1e47641d55a71e63cfb64f5da2631
Author: Andrew Cagney <[email protected]>
Date: Thu Jun 19 11:12:42 2025 -0400
testing: update ipsec down/delete output
commit 7887ace70b835d1414f8ae4dcd40f585a93c37cd
Author: Andrew Cagney <[email protected]>
Date: Thu Jun 19 11:02:43 2025 -0400
connections: another visit_connections.[hc] overhaul
- replace callback CONNECTION_PREP_IKE with the callbacks:
NUDGE_CONNECTION_PRINCIPAL_IKE_SA
the established IKE SA that "owns" the connection
NUDGE_CONNECTION_CROSSED_IKE_SA
any other established IKE SA that has lost
ownership (presumably double-crossed by PRINCIPAL!)
(callback order is not defined; can probably be merged)
For `ipsec delete` record'n'send a delete for the double-crossed
IKE SAs (previously both the IKEv1 and IKEv2 peers were
left hanging). This shows up in the logs.
- replace callbacks CONNECTION_IKE_CHILD, CONNECTION_ORPHAN_CHILD,
CONNECTION_CUCKOO_CHILD that vist the connection's (principal
or owning) Child SA with:
VISIT_CONNECTION_CHILD_OF_PRINCIPAL_IKE_SA
the Child SA and IKE SA are connection owners
VISIT_CONNECTION_CHILD_OF_CROSSED_IKE_SA
while the Child SA and it's IKE SA are for the
connection, only the Child SA is an owner (presumably
the IKE SA was double crossed)
VISIT_CONNECTION_CHILD_OF_CUCKOLD_IKE_SA
while the Child SA is the connection owner,
the Child SA's IKE SA is completly unrelated
VISIT_CONNECTION_CHILD_OF_NONE
(IKEv1) the Child SA's IKE SA has been deleted
For `ipsec down`, like for the basic case, only delete
the double-crossed or cuckold IKE SA, when it has no
other children. This shows up in the logs.
commit 5ccf17dd558914b7238f30193d61277d563c2113
Author: Andrew Cagney <[email protected]>
Date: Wed Jun 18 13:09:07 2025 -0400
testing: crossing-streams-24-ikev2-delete-connswitch-github-2101 is good
_______________________________________________
Swan-commit mailing list -- [email protected]
To unsubscribe send an email to [email protected]
