[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(usagi-users 02507) TCP connect behavior during IKE negotiation
- To: usagi-users@xxxxxxxxxxxxxx
- Subject: (usagi-users 02507) TCP connect behavior during IKE negotiation
- From: Brian Buesker <bbuesker@xxxxxxxxxxxx>
- Date: Thu, 14 Aug 2003 14:19:49 -0700
- Reply-to: usagi-users@xxxxxxxxxxxxxx
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225
I have been experimenting with IPSec in the 2.6.0-test2 kernel, using
racoon as the IKE daemon. I have found the following behavior occurs.
The following happens with IPv4, but not with IPv6: When I do a TCP
connect between two endpoints whose traffic must be protected via IPSec,
but the security association has not yet been established, and the IKE
daemon (racoon) is triggered to begin the negotiation, connect returns
-1 and errno is set to EAGAIN. I also tried it with the socket in
non-blocking mode, and EAGAIN is returned as well in this case. Thinking
that maybe EAGAIN instead of EINPROGRESS was being used to indicate that
the connection could not be completed right away, I then tried calling
select. In this case, select indicates that the socket is ready for
reading and writing, and calling getsockopt with SO_ERROR returns 0.
However, no TCP SYN packet is ever sent.
Has anybody else experienced this behavior of connect failing during an
IPSec security association establishment, and if so, how did you work
around this problem? Interestingly enough, for IPv6, this behavior does
not occur. Specifically, for IPv6, non-blocking connects correctly
return EINPROGRESS and select does not return until the timeout expires
or the connection has been completed. Also, when using a blocking
socket, connect does not return until the connection has been established.
Thanks for any help.
Brian Buesker