On Tue, Jan 21, 2014 at 9:54 AM, Woodhouse, David
<david.woodhouse at intel.com> wrote:
>> I was toying with the idea of just closing the DTLS connection any
>> time the CSTP connection is closed, under the assumption that the DTLS
>> parameters are likely to get changed upon CSTP reconnection. Would
>> that make sense?
>
> In my testing against Cisco servers, the DTLS parameters *weren't*
> changing.
At the very minimum I'd worry about this case:
/* Create (new) random master key for DTLS connection, if needed */
if (vpninfo->dtls_times.last_rekey + vpninfo->dtls_times.rekey <
time(NULL) + 300 &&
openconnect_random(vpninfo->dtls_secret,
sizeof(vpninfo->dtls_secret))) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to initialise DTLS secret\n"));
return -EIO;
}
On a server whose dtls_times.rekey == 0 and dtls_times.dpd == 0, DTLS
loses sync and never recovers.
Are you getting the same X-DTLS-Session-ID every time you reconnect?
On my ASA I see different IDs; on ocserv I see the same ID.
