makovick at gmail
Mar 28, 2010, 6:20 AM
Post #1 of 1
(2217 views)
Permalink
|
Hi,
I don't have access to any VPN that the commit 331 fixed, and have
almost no understanding of IPSEC, so pardon me if the following is
completely bogus.
I had some trouble with a concentrator, which seems to send weird
isakmp delete payloads. The SPI specified in the delete payload does
not match the current transmit SPI, and when the packet is just
ignored, everything is fine.
However, as the current vpnc accepts this packet, two things happen:
1) do_phase2_qm opens a new socket, which is unknown to the main loop
doing select. It means that vpnc will get stuck in a busy loop because
there are still data on the old socket, but they are not read anymore,
and the new socket is not select()ed at all.
2) if the above issue is fixed, vpnc still eventually fails with "HMAC
mismatch in ESP mode".
The attached patches fix these two issued by skipping opening of a new
esp socket when there already is one, and by ignoring delete payloads
with spi other than our current tx.spi .
Regards,
--
Jindrich Makovicka
|
reuse-socket.diff
