Multiple IKE SAs between two peers #2251
Replies: 2 comments 3 replies
-
That command does not delete the IKE_SA. First the command is called
What does that mean? Back from where? Was it removed before?
Because of Also note that the IKE_SA you marked as first one in the log is created due to
That's the allocated inbound SPI expiring in the kernel at the same time the daemon stopped waiting for the last retransmit. The |
Beta Was this translation helpful? Give feedback.
-
Thanks for the clarification. As mentioned its mostly ipsec auto=start & dpdaction triggered at the same time causing this. swanctl --terminate --ike carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95 --timeout 10 if you have swanctl available, why use ipsec and ipsec.conf and not swanctl.conf?
What does that mean? Back from where? Was it removed before?
option charon.reuse_ikesa is not set explicitly in our setup. |
Beta Was this translation helpful? Give feedback.
-
I have a strongswan config :Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.4.0-1045-aws, x86_64):
carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95: 172.16.0.240,...66.94.4.170 IKEv2, dpddelay=120s
carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95: local: [XXX.com] uses public key authentication
carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95: cert: "CN=XXX"
carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95: remote: uses public key authentication
carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95: child: dynamic === 10.192.0.0/14 TUNNEL, dpdaction=restart
conn carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95
auto=start
#authby=psk
type=tunnel
left=172.16.0.240,
leftsourceip="%config"
leftid=XXX
rightsubnet=10.192.0.0/14
leftauth=pubkey
leftcert=/etc/ipsec.d/carriergw/certs/mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95_cert.pem
right=66.94.4.170
rightid="%any"
#rightsubnet=10.51.0./24
rightauth=pubkey
#ike=aes128-aes256-sha1-sha256-modp1024-modp2048-modp4096
ike=aes256-sha256-modp2048-!
#esp=aes128-aes256-sha1-sha256-modp1024-modp2048-modp4096
esp=aes256-sha256-modp2048-!
closeaction=restart
dpdaction=restart
dpddelay=120s
ikelifetime=28800s
lifetime=3600s
#ikelifetime=1h
#lifetime=8h
reauth=no
mobike=no
leftallowany=no
keyingtries=%forever
Scenario:
Earlier thr is only single IKE SA with one ipsec SA.
Delete IKE SA is called with
swanctl --teardown --child carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95 --timeout 10
& after that IPsec conf is added back & done ipsec update so that again Ipsec should come up.
Logs are:
May 15 04:34:42 ip-10-0-4-56 charon: 15[IKE] deleting IKE_SA carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95[135] between 172.16.0.240[XXX.highway9.com]...66.94.4.170[ CN=XXX_mocn_segwblv.com]
May 15 04:34:42 ip-10-0-4-56 charon: 15[IKE] sending DELETE for IKE_SA carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95[135]
May 15 04:34:42 ip-10-0-4-56 charon: 15[ENC] generating INFORMATIONAL request 2 [ D ]
May 15 04:34:42 ip-10-0-4-56 charon: 15[NET] sending packet: from 172.16.0.240[4500] to 66.94.4.170[4500] (80 bytes)
May 15 04:34:42 ip-10-0-4-56 charon: 05[IKE] destroying IKE_SA in state CONNECTING without notification
May 15 04:34:42 ip-10-0-4-56 charon: 12[IKE] destroying IKE_SA in state CONNECTING without notification
May 15 04:34:42 ip-10-0-4-56 charon: 09[NET] received packet: from 66.94.4.170[4500] to 172.16.0.240[4500] (80 bytes)
May 15 04:34:42 ip-10-0-4-56 charon: 09[ENC] parsed INFORMATIONAL response 2 [ ]
May 15 04:34:42 ip-10-0-4-56 charon: 09[IKE] IKE_SA deleted
May 15 04:34:42 ip-10-0-4-56 charon: 09[IKE] DNS server 10.168.251.140 still used, decreasing refcount
May 15 04:34:42 ip-10-0-4-56 charon: 09[IKE] DNS server 10.168.243.36 still used, decreasing refcount
May 15 04:34:42 ip-10-0-4-56 charon: 15[LIB] file coded in unknown format, discarded
May 15 04:34:42 ip-10-0-4-56 charon: 15[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
May 15 04:34:51 ip-10-0-4-56 charon: 11[KNL] creating delete job for CHILD_SA ESP/0xccaded41/172.16.0.240
May 15 04:34:51 ip-10-0-4-56 charon: 14[JOB] CHILD_SA ESP/0xccaded41/172.16.0.240 not found for delete
May 15 04:34:51 ip-10-0-4-56 charon: 05[IKE] giving up after 5 retransmits
May 15 04:34:51 ip-10-0-4-56 charon: 05[IKE] installing new virtual IP 10.178.179.30
May 15 04:34:51 ip-10-0-4-56 charon: 05[IKE] restarting CHILD_SA carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95
May 15 04:34:51 ip-10-0-4-56 charon: 05[IKE] initiating IKE_SA carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95[145] to 66.94.4.170 -----------> >>>>>>>>>>>> 1st IKE
May 15 04:34:51 ip-10-0-4-56 charon: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 15 04:34:51 ip-10-0-4-56 charon: 05[NET] sending packet: from 172.16.0.240[500] to 66.94.4.170[500] (464 bytes)
May 15 04:34:51 ip-10-0-4-56 charon: 05[IKE] removing DNS server 10.168.251.140 via resolvconf
May 15 04:34:52 ip-10-0-4-56 charon: 15[NET] received packet: from 66.94.4.170[500] to 172.16.0.240[500] (1497 bytes)
May 15 04:34:52 ip-10-0-4-56 charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
May 15 04:34:52 ip-10-0-4-56 charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr ]
May 15 04:34:52 ip-10-0-4-56 charon: 10[IKE] authentication of XXX with RSA signature successful
May 15 04:34:52 ip-10-0-4-56 charon: 10[IKE] IKE_SA carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95[145] established between 172.16.0.240[XXX.highway9.com]...66.94.4.170[CN=XXX_mocn_segwblv.com]
May 15 04:34:52 ip-10-0-4-56 charon: 10[IKE] scheduling rekeying in 2976s
May 15 04:34:52 ip-10-0-4-56 charon: 10[IKE] maximum IKE_SA lifetime 3516s
May 15 04:34:52 ip-10-0-4-56 charon: 10[IKE] installing DNS server 10.168.243.36 via resolvconf
May 15 04:34:52 ip-10-0-4-56 charon: 16[LIB] file coded in unknown format, discarded
May 15 04:34:52 ip-10-0-4-56 charon: 16[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
May 15 04:34:53 ip-10-0-4-56 charon: 10[IKE] installing DNS server 10.168.251.140 via resolvconf
May 15 04:34:53 ip-10-0-4-56 charon: 05[IKE] retransmit 2 of request with message ID 0
May 15 04:34:53 ip-10-0-4-56 charon: 05[NET] sending packet: from 172.16.0.240[500] to 172.16.0.110[500] (464 bytes)
May 15 04:34:54 ip-10-0-4-56 charon: 10[IKE] installing new virtual IP 10.178.179.30
May 15 04:34:54 ip-10-0-4-56 charon: 10[IKE] CHILD_SA carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95{834} established with SPIs c7baa856_i 004a6ed0_o and TS 10.178.179.30/32 === 10.192.0.0/14
May 15 04:34:54 ip-10-0-4-56 charon: 10[IKE] establishing CHILD_SA carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95{835}
May 15 04:34:54 ip-10-0-4-56 charon: 10[ENC] generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
May 15 04:34:54 ip-10-0-4-56 charon: 10[NET] sending packet: from 172.16.0.240[4500] to 66.94.4.170[4500] (480 bytes)
May 15 04:34:54 ip-10-0-4-56 charon: 07[IKE] initiating IKE_SA carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95[146] to 66.94.4.170 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2nd IKE
May 15 04:34:54 ip-10-0-4-56 charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 15 04:34:54 ip-10-0-4-56 charon: 07[NET] sending packet: from 172.16.0.240[500] to 66.94.4.170[500] (464 bytes)
May 15 04:34:54 ip-10-0-4-56 charon: 12[NET] received packet: from 66.94.4.170[4500] to 172.16.0.240[4500] (80 bytes)
May 15 04:34:54 ip-10-0-4-56 charon: 12[ENC] parsed CREATE_CHILD_SA response 2 [ N(NO_ADD_SAS) ]
May 15 04:34:54 ip-10-0-4-56 charon: 12[IKE] received NO_ADDITIONAL_SAS notify, no CHILD_SA built
May 15 04:34:54 ip-10-0-4-56 charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA
May 15 04:34:54 ip-10-0-4-56 charon: 12[IKE] establishing CHILD_SA carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95{836}
May 15 04:34:54 ip-10-0-4-56 charon: 12[ENC] generating CREATE_CHILD_SA request 3 [ SA No KE TSi TSr ]
May 15 04:34:54 ip-10-0-4-56 charon: 12[NET] sending packet: from 172.16.0.240[4500] to 66.94.4.170[4500] (480 bytes)
May 15 04:34:54 ip-10-0-4-56 charon: 05[NET] received packet: from 66.94.4.170[500] to 172.16.0.240[500] (1497 bytes)
May 15 04:34:54 ip-10-0-4-56 charon: 05[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Suscpected logs:
Not sure when this scenario happens where CHILD SA not found for delete.
May 15 04:34:51 ip-10-0-4-56 charon: 11[KNL] creating delete job for CHILD_SA ESP/0xccaded41/172.16.0.240
May 15 04:34:51 ip-10-0-4-56 charon: 14[JOB] CHILD_SA ESP/0xccaded41/172.16.0.240 not found for delete
May 15 04:34:51 ip-10-0-4-56 charon: 05[IKE] giving up after 5 retransmits
May 15 04:34:51 ip-10-0-4-56 charon: 05[IKE] installing new virtual IP 10.178.179.30
May 15 04:34:51 ip-10-0-4-56 charon: 05[IKE] restarting CHILD_SA carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95
May 15 04:34:51 ip-10-0-4-56 charon: 05[IKE] initiating IKE_SA carriergw-mnoOperator-00cb608a-b1a0-471b-ba27-72015e69cd95[145] to 66.94.4.170
Beta Was this translation helpful? Give feedback.
All reactions