Skip to content

Juniper/NC ESP rekey fix

Daniel Lenski requested to merge fix_322 into master

This should fix #322 (closed). This was an immensely tricky issue to identify and solve. Many thanks to @john508 for his patient logging, testing, and bisecting.

This came down to a subtle combination of 2 problems, described further in #322 (comment 702122197).

First, a bug:

  • The code for Juniper/Pulse 'dontsend' added in b4f50f8b caused IPv6 packets to get sent over the Juniper oNCP/TLS channel in a completely mangled form, thereby confusing the server and making it not respond to subsequent ESP rekey packets sent over the oNCP/TLS channel.

    The fix is to use this code path only for the Pulse protocol, not for the Juniper protocol. Juniper cannot do ESP-over-IPv6 at all, and cannot send tunneled IPv6 packets at all (neither via ESP-over-IPv4, nor via oNCP/TLS).

Second, we introduced a subtle regression against a Juniper server behavior which we weren't previously aware of:

  • Juniper servers apparently don't always resend the IP address in a configuration packet, if that configuration packet is for rekey/reconnection only.

    To address this, we need to add a special case for Juniper to the install_vpn_opts() function, which was added in 3d845bc9.

Edited by Daniel Lenski

Merge request reports