[vpn-devel] Linux: unable to locate inbound policy for init phase2

[Michael Kenny]

Mathew -

I pulled down the latest 2.1.7 branch and I think they're different
problems.
However, I had a chance to dig into it a little more and came up with
something that appears to have solved my problem.

In iked/ike.policy.cpp around line 641, I made the following change:

    if( ( type == IPSEC_POLICY_IPSEC ) && ( tunnel->tstate &
TSTATE_POLICY_INIT ) )
    {
        tunnel->tstate &= ~TSTATE_POLICY_INIT;
        policy->initial = true;
    }

This prevents phase 2 initialization until an IPSEC policy is installed. It
then finds the policy it needs for phase 2 and finishes the tunnel.

Another possibility would be to reset the TSTATE_POLICY_INIT bit on the
tunnel if phase 2 doesn't find the policy it needs?

Thoughts?
Michael

On Thu, Sep 2, 2010 at 6:12 PM, Michael Kenny <kennym79web at gmail.com> wrote:

> Matthew -
>
> I'm using the 2.1.6-release downloaded though I saw it in 2.1.5 as well.
> My apologies for not noticing that a 2.1.7 was branched and a beta already
> out. I'll give it a try!
>
> Thanks,
> Michael
>
>
> On Thu, Sep 2, 2010 at 6:04 PM, Matthew Grooms <mgrooms at shrew.net> wrote:
>
>> On 9/2/2010 6:01 PM, Michael Kenny wrote:
>>
>>> I'm wondering if anyone might have an idea of something I have
>>> configured wrong or if this might possibly be a bug.
>>>
>>> I have a Cisco ASA 5505 and using Mutual RSA + XAuth, config pull, DHCP,
>>> main mode, auto for the rest of the important stuff including topology
>>> with auto policy. I don't think NAT-T, DPD, or fragmentation options
>>> result in any changes.
>>>
>>> After iked finishes installing the NONE policies:
>>>
>>>
>> Hi Michael,
>>
>> Which branch are you using? I just fixed a similar bug in the head, 2.1
>> and 2.1.7-release branch.
>>
>> -Matthew
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-devel/attachments/20100909/f1df3649/attachment-0003.html>