Bug #2610
Reauthentication fails when used both mark_in option and make_before_break=yes
Start date:
Due date:
Estimated time:
Affected version:
5.6.1
Resolution:
Fixed
Description
Hi
GW-A <-------Tunnel ---------> GW-B
40.1 40.2
I established host-host tunnel mode between two gateways and setup works fine initially.
Option 1 : Add make_before_break=yes in strongswan.conf
Option 2 : Add "mark_in= %unique" option in GW-A in ipsec.conf
When used only either of the options above, setup works fine as expected.
But when used both the options, reauthentication fails with below error
charon: 12[CFG] unable to install policy 40.0.0.1/32 === 40.0.0.2/32 out for reqid 2, the same policy for reqid 1 exists charon: 12[CFG] unable to install policy 40.0.0.1/32 === 40.0.0.2/32 out for reqid 2, the same policy for reqid 1 exists charon: 12[IKE] unable to install IPsec policies (SPD) in kernel
Can someone please let me know what could be missing here in the configuration.
Below are the config files used.
GW-A ipsec.conf
-----------------
# cat /etc/ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftfirewall=yes
rightid=@sun.strongswan.org
conn h1
left=40.0.0.1
leftsubnet=40.0.0.1/32
right=40.0.0.2
rightsubnet=40.0.0.2/32
auto=add
type=tunnel
mark_in = %unique
GW-A strongswan.conf
--------------------
# cat /etc/strongswan.conf
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici connmark
make_before_break=yes
}
GW-B ipsec.conf
----------------
config setup
conn %default
ikelifetime=4m
keylife=2m
rekeymargin=30s
keyingtries=1
keyexchange=ikev2
mobike=no
esp=aes128-sha1
conn sun
leftcert=sunCert.pem
leftid=@sun.strongswan.org
auto=add
type=tunnel
lefthostaccess=yes
leftfirewall=yes
left=40.0.0.2
leftsubnet=40.0.0.2/32
conn h1
rightid=@moon.strongswan.org
right=40.0.0.1
rightsubnet=40.0.0.1/32
also=sun
GW-B strongswan.conf
---------------------
cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
charon {
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation pubkey curve25519 gmp curl kernel-netlink socket-default updown stroke connmark
make_before_break=yes
}
root@Debian:~# ipsec start
Starting strongSwan 5.6.1 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for charon.
!! This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
root@Debian:~# Apr 3 11:35:23 Debian charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.1, Linux 4.9.30, x86_64)
Apr 3 11:35:23 Debian charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Apr 3 11:35:23 Debian charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Apr 3 11:35:23 Debian charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Apr 3 11:35:23 Debian charon: 00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: No such file or directory
Apr 3 11:35:23 Debian charon: 00[CFG] reading directory failed
Apr 3 11:35:23 Debian charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Apr 3 11:35:23 Debian charon: 00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: No such file or directory
Apr 3 11:35:23 Debian charon: 00[CFG] reading directory failed
Apr 3 11:35:23 Debian charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Apr 3 11:35:23 Debian charon: 00[LIB] opening directory '/etc/ipsec.d/acerts' failed: No such file or directory
Apr 3 11:35:23 Debian charon: 00[CFG] reading directory failed
Apr 3 11:35:23 Debian charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Apr 3 11:35:23 Debian charon: 00[LIB] opening directory '/etc/ipsec.d/crls' failed: No such file or directory
Apr 3 11:35:23 Debian charon: 00[CFG] reading directory failed
Apr 3 11:35:23 Debian charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Apr 3 11:35:23 Debian charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Apr 3 11:35:23 Debian charon: 00[LIB] loaded plugins: charon sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce kernel-netlink socket-default updown stroke vici connmark
Apr 3 11:35:23 Debian charon: 00[JOB] spawning 16 worker threads
Apr 3 11:35:23 Debian charon: 05[CFG] received stroke: add connection 'h1'
Apr 3 11:35:23 Debian charon: 05[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Apr 3 11:35:23 Debian charon: 05[CFG] added configuration 'h1'
root@Debian:~# Apr 3 11:35:28 Debian charon: 07[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (344 bytes)
Apr 3 11:35:28 Debian charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 3 11:35:28 Debian charon: 07[IKE] 40.0.0.2 is initiating an IKE_SA
Apr 3 11:35:28 Debian charon: 07[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Apr 3 11:35:28 Debian charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Apr 3 11:35:28 Debian charon: 07[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (265 bytes)
Apr 3 11:35:28 Debian charon: 08[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (1252 bytes)
Apr 3 11:35:28 Debian charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
Apr 3 11:35:28 Debian charon: 08[ENC] received fragment #1 of 2, waiting for complete IKE message
Apr 3 11:35:28 Debian charon: 09[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (532 bytes)
Apr 3 11:35:28 Debian charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Apr 3 11:35:28 Debian charon: 09[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Apr 3 11:35:28 Debian charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr 3 11:35:28 Debian charon: 09[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Apr 3 11:35:28 Debian charon: 09[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Apr 3 11:35:28 Debian charon: 09[CFG] looking for peer configs matching 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
Apr 3 11:35:28 Debian charon: 09[CFG] selected peer config 'h1'
Apr 3 11:35:28 Debian charon: 09[CFG] using certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Apr 3 11:35:28 Debian charon: 09[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Apr 3 11:35:28 Debian charon: 09[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Apr 3 11:35:28 Debian charon: 09[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
Apr 3 11:35:28 Debian charon: 09[LIB] unable to fetch from http://crl.strongswan.org/strongswan.crl, no capable fetcher found
Apr 3 11:35:28 Debian charon: 09[CFG] crl fetching failed
Apr 3 11:35:28 Debian charon: 09[CFG] certificate status is not available
Apr 3 11:35:28 Debian charon: 09[CFG] reached self-signed root ca with a path length of 0
Apr 3 11:35:28 Debian charon: 09[IKE] authentication of 'sun.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
Apr 3 11:35:28 Debian charon: 09[IKE] authentication of 'moon.strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Apr 3 11:35:28 Debian charon: 09[IKE] IKE_SA h1[1] established between 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
Apr 3 11:35:28 Debian charon: 09[IKE] scheduling reauthentication in 3379s
Apr 3 11:35:28 Debian charon: 09[IKE] maximum IKE_SA lifetime 3559s
Apr 3 11:35:28 Debian charon: 09[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Apr 3 11:35:28 Debian charon: 09[IKE] CHILD_SA h1{1} established with SPIs c23ff77f_i ce91be0d_o and TS 40.0.0.1/32 === 40.0.0.2/32
Apr 3 11:35:28 Debian vpn: + sun.strongswan.org 40.0.0.2 -- 40.0.0.1
Apr 3 11:35:28 Debian charon: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
Apr 3 11:35:28 Debian charon: 09[ENC] splitting IKE message with length of 1552 bytes into 2 fragments
Apr 3 11:35:28 Debian charon: 09[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Apr 3 11:35:28 Debian charon: 09[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Apr 3 11:35:28 Debian charon: 09[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (1252 bytes)
Apr 3 11:35:28 Debian charon: 09[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (372 bytes)
root@Debian:~# ip xfrm poliocy
Usage: ip xfrm XFRM-OBJECT { COMMAND | help }
where XFRM-OBJECT := state | policy | monitor
root@Debian:~# ip xfrm policy
src 40.0.0.1/32 dst 40.0.0.2/32
dir out priority 367231 ptype main
tmpl src 40.0.0.1 dst 40.0.0.2
proto esp spi 0xce91be0d reqid 1 mode tunnel
src 40.0.0.2/32 dst 40.0.0.1/32
dir fwd priority 367231 ptype main
mark 0x1/0xffffffff
tmpl src 40.0.0.2 dst 40.0.0.1
proto esp reqid 1 mode tunnel
src 40.0.0.2/32 dst 40.0.0.1/32
dir in priority 367231 ptype main
mark 0x1/0xffffffff
tmpl src 40.0.0.2 dst 40.0.0.1
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
root@Debian:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.1, Linux 4.9.30, x86_64):
uptime: 34 seconds, since Apr 03 11:35:22 2018
malloc: sbrk 1757184, mmap 0, used 276768, free 1480416
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce kernel-netlink socket-default updown stroke vici connmark
Listening IP addresses:
10.161.6.117
40.0.0.1
Connections:
h1: 40.0.0.1...40.0.0.2 IKEv1/2
h1: local: [moon.strongswan.org] uses public key authentication
h1: cert: "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
h1: remote: [sun.strongswan.org] uses public key authentication
h1: child: 40.0.0.1/32 === 40.0.0.2/32 TUNNEL
Security Associations (1 up, 0 connecting):
h1[1]: ESTABLISHED 29 seconds ago, 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
h1[1]: IKEv2 SPIs: ba1f561bc7de8223_i 0e0a5553fcaf51c3_r*, public key reauthentication in 55 minutes
h1[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
h1{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c23ff77f_i ce91be0d_o
h1{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 15 minutes
h1{1}: 40.0.0.1/32 === 40.0.0.2/32
root@Debian:~#
root@Debian:~#
root@Debian:~#
root@Debian:~#
root@Debian:~# Apr 3 11:36:44 Debian charon: 14[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (304 bytes)
Apr 3 11:36:44 Debian charon: 14[ENC] parsed CREATE_CHILD_SA request 2 [ N(REKEY_SA) SA No TSi TSr ]
Apr 3 11:36:44 Debian charon: 14[IKE] inbound CHILD_SA h1{2} established with SPIs caf4a366_i cc46699a_o and TS 40.0.0.1/32 === 40.0.0.2/32
Apr 3 11:36:44 Debian charon: 14[ENC] generating CREATE_CHILD_SA response 2 [ SA No TSi TSr ]
Apr 3 11:36:44 Debian charon: 14[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (208 bytes)
Apr 3 11:36:44 Debian charon: 15[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (80 bytes)
Apr 3 11:36:44 Debian charon: 15[ENC] parsed INFORMATIONAL request 3 [ D ]
Apr 3 11:36:44 Debian charon: 15[IKE] received DELETE for ESP CHILD_SA with SPI ce91be0d
Apr 3 11:36:44 Debian charon: 15[IKE] closing CHILD_SA h1{1} with SPIs c23ff77f_i (0 bytes) ce91be0d_o (0 bytes) and TS 40.0.0.1/32 === 40.0.0.2/32
Apr 3 11:36:44 Debian charon: 15[IKE] sending DELETE for ESP CHILD_SA with SPI c23ff77f
Apr 3 11:36:44 Debian charon: 15[IKE] CHILD_SA closed
Apr 3 11:36:44 Debian charon: 15[IKE] outbound CHILD_SA h1{2} established with SPIs caf4a366_i cc46699a_o and TS 40.0.0.1/32 === 40.0.0.2/32
Apr 3 11:36:44 Debian charon: 15[ENC] generating INFORMATIONAL response 3 [ D ]
Apr 3 11:36:44 Debian charon: 15[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (80 bytes)
root@Debian:~#
root@Debian:~#
root@Debian:~#
root@Debian:~# ip xfrm policy
src 40.0.0.1/32 dst 40.0.0.2/32
dir out priority 367231 ptype main
tmpl src 40.0.0.1 dst 40.0.0.2
proto esp spi 0xcc46699a reqid 1 mode tunnel
src 40.0.0.2/32 dst 40.0.0.1/32
dir fwd priority 367231 ptype main
mark 0x1/0xffffffff
tmpl src 40.0.0.2 dst 40.0.0.1
proto esp reqid 1 mode tunnel
src 40.0.0.2/32 dst 40.0.0.1/32
dir in priority 367231 ptype main
mark 0x1/0xffffffff
tmpl src 40.0.0.2 dst 40.0.0.1
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
root@Debian:~#
root@Debian:~#
root@Debian:~#
root@Debian:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.1, Linux 4.9.30, x86_64):
uptime: 109 seconds, since Apr 03 11:35:23 2018
malloc: sbrk 2297856, mmap 0, used 283232, free 2014624
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce kernel-netlink socket-default updown stroke vici connmark
Listening IP addresses:
10.161.6.117
40.0.0.1
Connections:
h1: 40.0.0.1...40.0.0.2 IKEv1/2
h1: local: [moon.strongswan.org] uses public key authentication
h1: cert: "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
h1: remote: [sun.strongswan.org] uses public key authentication
h1: child: 40.0.0.1/32 === 40.0.0.2/32 TUNNEL
Security Associations (1 up, 0 connecting):
h1[1]: ESTABLISHED 104 seconds ago, 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
h1[1]: IKEv2 SPIs: ba1f561bc7de8223_i 0e0a5553fcaf51c3_r*, public key reauthentication in 54 minutes
h1[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
h1{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: caf4a366_i cc46699a_o
h1{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 13 minutes
h1{2}: 40.0.0.1/32 === 40.0.0.2/32
root@Debian:~#
root@Debian:~#
root@Debian:~#
root@Debian:~# Apr 3 11:37:59 Debian charon: 07[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (304 bytes)
Apr 3 11:37:59 Debian charon: 07[ENC] parsed CREATE_CHILD_SA request 4 [ N(REKEY_SA) SA No TSi TSr ]
Apr 3 11:37:59 Debian charon: 07[IKE] inbound CHILD_SA h1{3} established with SPIs cc7d4ff1_i c198d4d8_o and TS 40.0.0.1/32 === 40.0.0.2/32
Apr 3 11:37:59 Debian charon: 07[ENC] generating CREATE_CHILD_SA response 4 [ SA No TSi TSr ]
Apr 3 11:37:59 Debian charon: 07[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (208 bytes)
Apr 3 11:37:59 Debian charon: 08[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (80 bytes)
Apr 3 11:37:59 Debian charon: 08[ENC] parsed INFORMATIONAL request 5 [ D ]
Apr 3 11:37:59 Debian charon: 08[IKE] received DELETE for ESP CHILD_SA with SPI cc46699a
Apr 3 11:37:59 Debian charon: 08[IKE] closing CHILD_SA h1{2} with SPIs caf4a366_i (0 bytes) cc46699a_o (0 bytes) and TS 40.0.0.1/32 === 40.0.0.2/32
Apr 3 11:37:59 Debian charon: 08[IKE] sending DELETE for ESP CHILD_SA with SPI caf4a366
Apr 3 11:37:59 Debian charon: 08[IKE] CHILD_SA closed
Apr 3 11:37:59 Debian charon: 08[IKE] outbound CHILD_SA h1{3} established with SPIs cc7d4ff1_i c198d4d8_o and TS 40.0.0.1/32 === 40.0.0.2/32
Apr 3 11:37:59 Debian charon: 08[ENC] generating INFORMATIONAL response 5 [ D ]
Apr 3 11:37:59 Debian charon: 08[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (80 bytes)
root@Debian:~#
root@Debian:~#
root@Debian:~#
root@Debian:~# ip xApr 3 11:38:39 Debian charon: 09[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (344 bytes)
Apr 3 11:38:39 Debian charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 3 11:38:39 Debian charon: 09[IKE] 40.0.0.2 is initiating an IKE_SA
Apr 3 11:38:39 Debian charon: 09[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Apr 3 11:38:39 Debian charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Apr 3 11:38:39 Debian charon: 09[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (265 bytes)
Apr 3 11:38:39 Debian charon: 11[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (532 bytes)
Apr 3 11:38:39 Debian charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Apr 3 11:38:39 Debian charon: 11[ENC] received fragment #2 of 2, waiting for complete IKE message
Apr 3 11:38:39 Debian charon: 12[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (1252 bytes)
Apr 3 11:38:39 Debian charon: 12[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
fApr 3 11:38:39 Debian charon: 12[ENC] received fragment #1 of 2, reassembling fragmented IKE message
Apr 3 11:38:39 Debian charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr 3 11:38:39 Debian charon: 12[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Apr 3 11:38:39 Debian charon: 12[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Apr 3 11:38:39 Debian charon: 12[CFG] looking for peer configs matching 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
Apr 3 11:38:39 Debian charon: 12[CFG] selected peer config 'h1'
Apr 3 11:38:39 Debian charon: 12[CFG] using certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Apr 3 11:38:39 Debian charon: 12[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Apr 3 11:38:39 Debian charon: 12[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Apr 3 11:38:39 Debian charon: 12[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
Apr 3 11:38:39 Debian charon: 12[LIB] unable to fetch from http://crl.strongswan.org/strongswan.crl, no capable fetcher found
Apr 3 11:38:39 Debian charon: 12[CFG] crl fetching failed
Apr 3 11:38:39 Debian charon: 12[CFG] certificate status is not available
Apr 3 11:38:39 Debian charon: 12[CFG] reached self-signed root ca with a path length of 0
Apr 3 11:38:39 Debian charon: 12[IKE] authentication of 'sun.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
Apr 3 11:38:39 Debian charon: 12[IKE] authentication of 'moon.strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Apr 3 11:38:39 Debian charon: 12[IKE] IKE_SA h1[2] established between 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
Apr 3 11:38:39 Debian charon: 12[IKE] scheduling reauthentication in 3355s
Apr 3 11:38:39 Debian charon: 12[IKE] maximum IKE_SA lifetime 3535s
Apr 3 11:38:39 Debian charon: 12[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Apr 3 11:38:39 Debian charon: 12[CFG] unable to install policy 40.0.0.1/32 === 40.0.0.2/32 out for reqid 2, the same policy for reqid 1 exists
Apr 3 11:38:39 Debian charon: 12[CFG] unable to install policy 40.0.0.1/32 === 40.0.0.2/32 out for reqid 2, the same policy for reqid 1 exists
Apr 3 11:38:39 Debian charon: 12[IKE] unable to install IPsec policies (SPD) in kernel
Apr 3 11:38:39 Debian charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA
Apr 3 11:38:39 Debian charon: 12[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]
Apr 3 11:38:39 Debian charon: 12[ENC] splitting IKE message with length of 1472 bytes into 2 fragments
Apr 3 11:38:39 Debian charon: 12[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Apr 3 11:38:39 Debian charon: 12[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Apr 3 11:38:39 Debian charon: 12[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (1252 bytes)
Apr 3 11:38:39 Debian charon: 12[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (292 bytes)
Apr 3 11:38:39 Debian charon: 04[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (80 bytes)
Apr 3 11:38:39 Debian charon: 04[ENC] parsed INFORMATIONAL request 6 [ D ]
Apr 3 11:38:39 Debian charon: 04[IKE] received DELETE for IKE_SA h1[1]
Apr 3 11:38:39 Debian charon: 04[IKE] deleting IKE_SA h1[1] between 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
Apr 3 11:38:39 Debian charon: 04[IKE] IKE_SA deleted
Apr 3 11:38:39 Debian vpn: - sun.strongswan.org 40.0.0.2 -- 40.0.0.1
Apr 3 11:38:39 Debian charon: 04[ENC] generating INFORMATIONAL response 6 [ ]
Apr 3 11:38:39 Debian charon: 04[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (80 bytes)
rm policy
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
root@Debian:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.1, Linux 4.9.30, x86_64):
uptime: 3 minutes, since Apr 03 11:35:23 2018
malloc: sbrk 2433024, mmap 0, used 284672, free 2148352
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
loaded plugins: charon sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce kernel-netlink socket-default updown stroke vici connmark
Listening IP addresses:
10.161.6.117
40.0.0.1
Connections:
h1: 40.0.0.1...40.0.0.2 IKEv1/2
h1: local: [moon.strongswan.org] uses public key authentication
h1: cert: "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
h1: remote: [sun.strongswan.org] uses public key authentication
h1: child: 40.0.0.1/32 === 40.0.0.2/32 TUNNEL
Security Associations (1 up, 0 connecting):
h1[2]: ESTABLISHED 10 seconds ago, 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
h1[2]: IKEv2 SPIs: 5e5d72a1af22e950_i 5dc564b9ef72fbf3_r*, public key reauthentication in 55 minutes
h1[2]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
root@Debian:~#
root@Debian:~#
History
#1 Updated by Tobias Brunner over 7 years ago
- Tracker changed from Issue to Bug
- Description updated (diff)
- Status changed from New to Feedback
- Priority changed from Urgent to Normal
- Target version set to 5.6.3
When used only either of the options above, setup works fine as expected.
Please consider whether you actually need to use marks, and if so, whether they have to be unique, otherwise, configure static marks or no marks at all. Also, consider whether you need reauthentication, if not, set reauth=no to use regular IKE rekeying.
If, for some reason, you actually have to use the combination of unique marks and reauthentication check the fix in the 2610-mark-unique-reauth branch.
#2 Updated by Sudheer Anumolu over 7 years ago
Thanks Tobias for response
If, for some reason, you actually have to use the combination of unique marks and reauthentication check the fix in the 2610-mark-unique-reauth branch.
I could not get the link for "2610-mark-unique-reauth " branch. Can you please share it.
Also, i added reqid=1 in ipsec.conf , along with mark=%unique and enabled make_before_break=yes.
Now am not seeing this issue during reauthentication.
Not yet sure if this could be a valid fix when used multiple tunnels.
Mark value increments and reqid is always fixed to given value.
- ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.1, Linux 4.9.30, x86_64):
uptime: 15 minutes, since Apr 04 03:27:46 2018
malloc: sbrk 2433024, mmap 0, used 294496, free 2138528
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 11
loaded plugins: charon sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce kernel-netlink socket-default updown stroke vici connmark
Listening IP addresses:
10.161.6.117
40.0.0.1
Connections:
h1: 40.0.0.1...40.0.0.2 IKEv1/2
h1: local: [moon.strongswan.org] uses public key authentication
h1: cert: "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
h1: remote: [sun.strongswan.org] uses public key authentication
h1: child: 40.0.0.1/32 === 40.0.0.2/32 TUNNEL
Security Associations (1 up, 0 connecting):
h15: ESTABLISHED 87 seconds ago, 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
h15: IKEv2 SPIs: 1be47c5038c861aa_i 145b40cdfc94b6ec_r*, public key reauthentication in 55 minutes
h15: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
h1{43}: DELETING, TUNNEL, reqid 1
h1{43}: 40.0.0.1/32 === 40.0.0.2/32
h1{44}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c1125de8_i c3d4bfbf_o
h1{44}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 13 minutes
h1{44}: 40.0.0.1/32 === 40.0.0.2/32
- ip xfrm policy
src 40.0.0.1/32 dst 40.0.0.2/32
dir out priority 367231 ptype main
tmpl src 40.0.0.1 dst 40.0.0.2
proto esp spi 0xc3d4bfbf reqid 1 mode tunnel
src 40.0.0.2/32 dst 40.0.0.1/32
dir fwd priority 367231 ptype main
mark 0x5/0xffffffff
tmpl src 40.0.0.2 dst 40.0.0.1
proto esp reqid 1 mode tunnel
src 40.0.0.2/32 dst 40.0.0.1/32
dir in priority 367231 ptype main
mark 0x5/0xffffffff
tmpl src 40.0.0.2 dst 40.0.0.1
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
---------------
Can you let me know when make_before_break is not enabled, why
- reqid increments during reauth
- reqid and mark are same. (mark=%unique)
Thanks
Sudheer
#3 Updated by Tobias Brunner over 7 years ago
If, for some reason, you actually have to use the combination of unique marks and reauthentication check the fix in the 2610-mark-unique-reauth branch.
I could not get the link for "2610-mark-unique-reauth " branch. Can you please share it.
What do you mean? It's in our Git repository (or the mirror on Github).
Also, i added reqid=1 in ipsec.conf , along with mark=%unique and enabled make_before_break=yes.
Now am not seeing this issue during reauthentication.
Not yet sure if this could be a valid fix when used multiple tunnels.
Yes, that's a workaround too. But you should still consider whether you actually need the combination of these options.
#4 Updated by Sudheer Anumolu over 7 years ago
Yes, that's a workaround too. But you should still consider whether you actually need the combination of these options.
Thanks for the confirmation
Can you also let me know this details, when make_before_break is not enabled, why
- reqid increments during reauth
- reqid and mark are same. (mark=%unique)
#5 Updated by Tobias Brunner over 7 years ago
Can you also let me know this details, when make_before_break is not enabled, why
- reqid increments during reauth
- reqid and mark are same. (mark=%unique)
What do you mean?
#6 Updated by Tobias Brunner over 7 years ago
- Category set to libcharon
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to Fixed