Testing: what happens when client restarts cleanly.

[Rishabh04-02]

Support for recovery from client restart.

[Rishabh04-02]

Output - https://pastebin.com/raw/bTVSmLip
test case added libreswan/libreswan@58338e0
Solved in PR - libreswan/libreswan#263

[letoams]

On Wed, 7 Aug 2019, Rishabh wrote: Output - https://pastebin.com/raw/bTVSmLip

On the east console, it shows two tunnels instead of one. It road did a "ipsec restart", it would have send a delete for the first tunnel. So I would expect only one tunnel after the road restart, not two? Paul

[Rishabh04-02]

I have been working on this issue, I also got Tuomo's help in this. But every time i got two tunnels running in the end.

Then I checked the road.console.txt in the tests where server is crashing and where server is restarting cleanly. In those 2 test cases the road.console.txt also have two tunnels running in the end.

grep "negotiated connection" /tmp/pluto.log
"private-or-clear#192.1.2.0/24"[1] 10.0.10.1/32=== ...192.1.2.23 #2: negotiated connection [10.0.10.1-10.0.10.1:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
"private-or-clear#192.1.2.0/24"[2] 10.0.10.1/32=== ...192.1.2.23 #4: negotiated connection [10.0.10.1-10.0.10.1:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]

Reference

grep "negotiated connection" /tmp/pluto.log
"private-or-clear#192.1.2.0/24"[1] 10.0.10.1/32=== ...192.1.2.23 #2: negotiated connection [10.0.10.1-10.0.10.1:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
"private-or-clear#192.1.2.0/24"[2] 10.0.10.1/32=== ...192.1.2.23 #4: negotiated connection [10.0.10.1-10.0.10.1:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]

Reference

Tuomo said - this can still be race condition. like pluto stops before it sent delete sa. OR we have software error and delete sa is not sent. OR there are some special cases where we don't want to notify about deleting sa.

[Rishabh04-02]

But I have noticed a strange behavior:
when I connect from my laptop to the letsencrypt server. I see one connection on both client and server. when I restart client or server. I see no connection on either of them.
But on the test server we see 2 connections.

[letoams]

Yes because if you crash you do not send a delete message. And since you authenticate the client with NULL the server cannot detect if this is the same or a different client. When you restart, a delete message should be sent and the server should delete the tunnel and when the client reconnects only one tunnel should be there. Paul Sent from mobile device

…

On Aug 9, 2019, at 04:26, Rishabh ***@***.***> wrote: I have been working on this issue for 2 days. I also got Tuomo's help in this. But every time i got two tunnels running in the end. Then I checked the road.console.txt in the tests where server is crashing and where server is restarting cleanly. In those 2 test cases the road.console.txt also have two tunnels running in the end. grep "negotiated connection" /tmp/pluto.log "private-or-clear#192.1.2.0/24"[1] 10.0.10.1/32=== ...192.1.2.23 #2: negotiated connection [10.0.10.1-10.0.10.1:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] "private-or-clear#192.1.2.0/24"[2] 10.0.10.1/32=== ...192.1.2.23 #4: negotiated connection [10.0.10.1-10.0.10.1:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] Reference grep "negotiated connection" /tmp/pluto.log "private-or-clear#192.1.2.0/24"[1] 10.0.10.1/32=== ...192.1.2.23 #2: negotiated connection [10.0.10.1-10.0.10.1:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] "private-or-clear#192.1.2.0/24"[2] 10.0.10.1/32=== ...192.1.2.23 #4: negotiated connection [10.0.10.1-10.0.10.1:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] Reference — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.