Page MenuHomeVyOS Platform

Upgrade strongswan to 5.9.6
Open, Requires assessmentPublicFEATURE REQUEST

Description

As per https://forum.vyos.io/t/site-to-site-ipsec-multiple-sa-in-stale-state/9289 - and https://phabricator.vyos.net/T4551

With the current strongswan version (5.9.1) there seems to be the above issues.

I recompiled/created the deb packages on my own for strongswan 5.9.6, starting from dsc and sources for debian testing (available at https://salsa.debian.org/debian/strongswan/-/tree/debian/5.9.6-1 / tag debian/5.9.6-1).

With the newer version, the issue seems resolved.

NOTE: the patches @ https://github.com/vyos/vyos-build/tree/current/packages/strongswan/patches do not apply to the new 5.9.6 tree. However, you can find the updated patches here: https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/main/strongswan . my recompiled deb uses these ones.
NOTE: the newer version adds these deb dependencies (already available on the debian stable repo): libtss2-mu0 libtss2-sys1 tpm-udev (plus libtss2-dev for the build phase)

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects

Event Timeline

ssasso updated the task description. (Show Details)

From the strongswan 5.9.6 changelog:

Actively initiating duplicate CHILD_SAs within the same IKE_SA is now largely prevented. This can happen if trap policies are installed and an IKE_SA with its CHILD_SAs is reestablished (e.g. with break-before-make reauthentication or dpd_action=restart). This does not prevent duplicates if they are initiated by the two peers concurrently.