Project

General

Profile

Issue #2730

Duplicate child SA

Added by Alexis Rapior 12 months ago. Updated 11 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.6.3
Resolution:

Description

Hi,

Is there a way to prevent duplication on Child SA?
After days or weeks I can see that there are massive duplicates on some Child SA. This has the consequence to block the traffic to certain IPs on the right subnet.

Thanks,
Alexis

History

#1 Updated by Tobias Brunner 12 months ago

  • Tracker changed from Bug to Issue
  • Status changed from New to Feedback
  • Priority changed from Urgent to Normal
  • Start date deleted (27.08.2018)

Is there a way to prevent duplication on Child SA?

Depends. There are lots of ways in which duplicate CHILD_SAs might get established. You have to analyze what exactly happens, so you may be able to avoid the source of the problem.

This has the consequence to block the traffic to certain IPs on the right subnet.

That should not be the result of this. Usually duplicates are just that and can both be used. Again, you'd have to analyze what exactly is going on.

#2 Updated by Alexis Rapior 12 months ago

It happens when the IKE_SA get's re-authenticated.
I've 15 CHILD_SAs attached to it and one or more get duplicated.
In this case sub-3 gets duplicated.
Below the logs:

Aug 28 09:41:05 linux-srv charon: 16[IKE] reauthenticating IKE_SA sub-1[1]
Aug 28 09:41:05 linux-srv charon: 16[IKE] deleting IKE_SA sub-1[1] between 10.0.1.10[A.A.A.A]...B.B.B.B[B.B.B.B]
Aug 28 09:41:05 linux-srv charon: 16[IKE] sending DELETE for IKE_SA sub-1[1]
Aug 28 09:41:05 linux-srv charon: 16[ENC] generating INFORMATIONAL request 16 [ D ]
Aug 28 09:41:05 linux-srv charon: 16[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (76 bytes)
Aug 28 09:41:05 linux-srv charon: 12[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (76 bytes)
Aug 28 09:41:05 linux-srv charon: 12[ENC] parsed INFORMATIONAL response 16 [ D ]
Aug 28 09:41:05 linux-srv charon: 12[IKE] IKE_SA deleted
Aug 28 09:41:05 linux-srv vpn: - B.B.B.B 10.200.21.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv vpn: - B.B.B.B 10.200.4.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv vpn: - B.B.B.B 192.168.202.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv vpn: - B.B.B.B 10.200.23.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv vpn: - B.B.B.B 10.200.13.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv vpn: - B.B.B.B 10.200.100.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv vpn: - B.B.B.B 10.200.37.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv vpn: - B.B.B.B 10.200.2.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv vpn: - B.B.B.B 10.200.12.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv vpn: - B.B.B.B 192.168.196.0/23 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv vpn: - B.B.B.B 10.200.3.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv vpn: - B.B.B.B 10.200.11.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv vpn: - B.B.B.B 10.200.1.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv vpn: - B.B.B.B 10.200.200.0/23 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv vpn: - B.B.B.B 10.200.14.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv charon: 12[IKE] restarting CHILD_SA sub-8
Aug 28 09:41:06 linux-srv charon: 12[IKE] initiating IKE_SA sub-1[2] to B.B.B.B
Aug 28 09:41:06 linux-srv charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 28 09:41:06 linux-srv charon: 12[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (1172 bytes)
Aug 28 09:41:06 linux-srv charon: 12[IKE] restarting CHILD_SA sub-15
Aug 28 09:41:06 linux-srv charon: 12[IKE] restarting CHILD_SA sub-14
Aug 28 09:41:06 linux-srv charon: 12[IKE] restarting CHILD_SA sub-9
Aug 28 09:41:06 linux-srv charon: 12[IKE] restarting CHILD_SA sub-6
Aug 28 09:41:06 linux-srv charon: 12[IKE] restarting CHILD_SA sub-11
Aug 28 09:41:06 linux-srv charon: 12[IKE] restarting CHILD_SA sub-10
Aug 28 09:41:06 linux-srv charon: 12[IKE] restarting CHILD_SA sub-2
Aug 28 09:41:06 linux-srv charon: 12[IKE] restarting CHILD_SA sub-5
Aug 28 09:41:06 linux-srv charon: 12[IKE] restarting CHILD_SA sub-12
Aug 28 09:41:06 linux-srv charon: 12[IKE] restarting CHILD_SA sub-3
Aug 28 09:41:06 linux-srv charon: 12[IKE] restarting CHILD_SA sub-4
Aug 28 09:41:06 linux-srv charon: 12[IKE] restarting CHILD_SA sub-1
Aug 28 09:41:06 linux-srv charon: 12[IKE] restarting CHILD_SA sub-13
Aug 28 09:41:06 linux-srv charon: 12[IKE] restarting CHILD_SA sub-7
Aug 28 09:41:06 linux-srv charon: 05[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (457 bytes)
Aug 28 09:41:06 linux-srv strongswan: 14[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 13[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 13[ENC] parsed INFORMATIONAL request 8697 [ ]
Aug 28 09:41:06 linux-srv strongswan: 13[ENC] generating INFORMATIONAL response 8697 [ ]
Aug 28 09:41:06 linux-srv strongswan: 13[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 07[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 07[ENC] parsed INFORMATIONAL request 8698 [ ]
Aug 28 09:41:06 linux-srv strongswan: 07[ENC] generating INFORMATIONAL response 8698 [ ]
Aug 28 09:41:06 linux-srv strongswan: 07[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 12[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 12[ENC] parsed INFORMATIONAL request 8699 [ ]
Aug 28 09:41:06 linux-srv strongswan: 12[ENC] generating INFORMATIONAL response 8699 [ ]
Aug 28 09:41:06 linux-srv strongswan: 12[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 13[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 13[ENC] parsed INFORMATIONAL request 8700 [ ]
Aug 28 09:41:06 linux-srv strongswan: 13[ENC] generating INFORMATIONAL response 8700 [ ]
Aug 28 09:41:06 linux-srv strongswan: 13[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 15[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 15[ENC] parsed INFORMATIONAL request 8701 [ ]
Aug 28 09:41:06 linux-srv strongswan: 15[ENC] generating INFORMATIONAL response 8701 [ ]
Aug 28 09:41:06 linux-srv strongswan: 15[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 14[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 14[ENC] parsed INFORMATIONAL request 8702 [ ]
Aug 28 09:41:06 linux-srv strongswan: 14[ENC] generating INFORMATIONAL response 8702 [ ]
Aug 28 09:41:06 linux-srv strongswan: 14[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 13[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 13[ENC] parsed INFORMATIONAL request 8703 [ ]
Aug 28 09:41:06 linux-srv strongswan: 13[ENC] generating INFORMATIONAL response 8703 [ ]
Aug 28 09:41:06 linux-srv strongswan: 13[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 07[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 07[ENC] parsed INFORMATIONAL request 8704 [ ]
Aug 28 09:41:06 linux-srv charon: 05[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V V N(NATD_S_IP) N(NATD_D_IP) V ]
Aug 28 09:41:06 linux-srv strongswan: 07[ENC] generating INFORMATIONAL response 8704 [ ]
Aug 28 09:41:06 linux-srv strongswan: 07[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 16[IKE] reauthenticating IKE_SA sub-1[1]
Aug 28 09:41:06 linux-srv strongswan: 16[IKE] deleting IKE_SA sub-1[1] between 10.0.1.10[A.A.A.A]...B.B.B.B[B.B.B.B]
Aug 28 09:41:06 linux-srv strongswan: 16[IKE] sending DELETE for IKE_SA sub-1[1]
Aug 28 09:41:06 linux-srv strongswan: 16[ENC] generating INFORMATIONAL request 16 [ D ]
Aug 28 09:41:06 linux-srv strongswan: 16[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 12[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (76 bytes)
Aug 28 09:41:06 linux-srv strongswan: 12[ENC] parsed INFORMATIONAL response 16 [ D ]
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] IKE_SA deleted
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] restarting CHILD_SA sub-8
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] initiating IKE_SA sub-1[2] to B.B.B.B
Aug 28 09:41:06 linux-srv strongswan: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 28 09:41:06 linux-srv strongswan: 12[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (1172 bytes)
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] restarting CHILD_SA sub-15
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] restarting CHILD_SA sub-14
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] restarting CHILD_SA sub-9
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] restarting CHILD_SA sub-6
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] restarting CHILD_SA sub-11
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] restarting CHILD_SA sub-10
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] restarting CHILD_SA sub-2
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] restarting CHILD_SA sub-5
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] restarting CHILD_SA sub-12
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] restarting CHILD_SA sub-3
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] restarting CHILD_SA sub-4
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] restarting CHILD_SA sub-1
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] restarting CHILD_SA sub-13
Aug 28 09:41:06 linux-srv strongswan: 12[IKE] restarting CHILD_SA sub-7
Aug 28 09:41:06 linux-srv strongswan: 05[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (457 bytes)
Aug 28 09:41:06 linux-srv strongswan: 05[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V V N(NATD_S_IP) N(NATD_D_IP) V ]
Aug 28 09:41:06 linux-srv strongswan: 05[IKE] received Cisco Delete Reason vendor ID
Aug 28 09:41:06 linux-srv strongswan: 05[IKE] received Cisco Copyright (c) 2009 vendor ID
Aug 28 09:41:06 linux-srv strongswan: 05[ENC] received unknown vendor ID: XXX
Aug 28 09:41:06 linux-srv strongswan: 05[IKE] received FRAGMENTATION vendor ID
Aug 28 09:41:06 linux-srv strongswan: 05[IKE] local host is behind NAT, sending keep alives
Aug 28 09:41:06 linux-srv strongswan: 05[IKE] remote host is behind NAT
Aug 28 09:41:06 linux-srv strongswan: 05[IKE] authentication of 'A.A.A.A' (myself) with pre-shared key
Aug 28 09:41:06 linux-srv charon: 05[IKE] received Cisco Delete Reason vendor ID
Aug 28 09:41:06 linux-srv strongswan: 05[IKE] establishing CHILD_SA sub-8{61} reqid 8
Aug 28 09:41:06 linux-srv charon: 05[IKE] received Cisco Copyright (c) 2009 vendor ID
Aug 28 09:41:06 linux-srv charon: 05[ENC] received unknown vendor ID: XXX
Aug 28 09:41:06 linux-srv charon: 05[IKE] received FRAGMENTATION vendor ID
Aug 28 09:41:06 linux-srv charon: 05[IKE] local host is behind NAT, sending keep alives
Aug 28 09:41:06 linux-srv charon: 05[IKE] remote host is behind NAT
Aug 28 09:41:06 linux-srv charon: 05[IKE] authentication of 'A.A.A.A' (myself) with pre-shared key
Aug 28 09:41:06 linux-srv charon: 05[IKE] establishing CHILD_SA sub-8{61} reqid 8
Aug 28 09:41:06 linux-srv charon: 05[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Aug 28 09:41:06 linux-srv charon: 05[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (332 bytes)
Aug 28 09:41:06 linux-srv charon: 08[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (252 bytes)
Aug 28 09:41:06 linux-srv charon: 08[ENC] parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Aug 28 09:41:06 linux-srv charon: 08[IKE] authentication of 'B.B.B.B' with pre-shared key successful
Aug 28 09:41:06 linux-srv charon: 08[IKE] IKE_SA sub-1[2] established between 10.0.1.10[A.A.A.A]...B.B.B.B[B.B.B.B]
Aug 28 09:41:06 linux-srv charon: 08[IKE] scheduling reauthentication in 86072s
Aug 28 09:41:06 linux-srv charon: 08[IKE] maximum IKE_SA lifetime 86252s
Aug 28 09:41:06 linux-srv charon: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 28 09:41:06 linux-srv charon: 08[IKE] CHILD_SA sub-8{61} established with SPIs cd8d0370_i 6c2ac70c_o and TS 10.0.1.0/24 === 10.200.21.0/24
Aug 28 09:41:06 linux-srv vpn: + B.B.B.B 10.200.21.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv charon: 08[IKE] establishing CHILD_SA sub-15{62} reqid 15
Aug 28 09:41:06 linux-srv charon: 08[ENC] generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv charon: 08[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:06 linux-srv charon: 10[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:06 linux-srv charon: 10[ENC] parsed CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv charon: 10[IKE] CHILD_SA sub-15{62} established with SPIs c88aa204_i 8417ada4_o and TS 10.0.1.0/24 === 10.200.4.0/24
Aug 28 09:41:06 linux-srv vpn: + B.B.B.B 10.200.4.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv charon: 10[IKE] establishing CHILD_SA sub-14{63} reqid 14
Aug 28 09:41:06 linux-srv charon: 10[ENC] generating CREATE_CHILD_SA request 3 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv charon: 10[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:06 linux-srv charon: 07[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:06 linux-srv charon: 07[ENC] parsed CREATE_CHILD_SA response 3 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv charon: 07[IKE] CHILD_SA sub-14{63} established with SPIs ca3b95ad_i 2ec71bf7_o and TS 10.0.1.0/24 === 192.168.202.0/24
Aug 28 09:41:06 linux-srv vpn: + B.B.B.B 192.168.202.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv charon: 07[IKE] establishing CHILD_SA sub-9{64} reqid 9
Aug 28 09:41:06 linux-srv charon: 07[ENC] generating CREATE_CHILD_SA request 4 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv charon: 07[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:06 linux-srv charon: 14[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:06 linux-srv charon: 14[ENC] parsed CREATE_CHILD_SA response 4 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv charon: 14[IKE] CHILD_SA sub-9{64} established with SPIs ca91697b_i d7563735_o and TS 10.0.1.0/24 === 10.200.23.0/24
Aug 28 09:41:06 linux-srv vpn: + B.B.B.B 10.200.23.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv charon: 14[IKE] establishing CHILD_SA sub-6{65} reqid 6
Aug 28 09:41:06 linux-srv charon: 14[ENC] generating CREATE_CHILD_SA request 5 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv charon: 14[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:06 linux-srv charon: 06[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (684 bytes)
Aug 28 09:41:06 linux-srv charon: 06[ENC] parsed CREATE_CHILD_SA request 0 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv charon: 06[IKE] CHILD_SA sub-3{66} established with SPIs c7cee977_i 3db8adaa_o and TS 10.0.1.0/24 === 10.200.3.0/24
Aug 28 09:41:06 linux-srv vpn: + B.B.B.B 10.200.3.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv charon: 06[ENC] generating CREATE_CHILD_SA response 0 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv charon: 06[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (348 bytes)
Aug 28 09:41:06 linux-srv charon: 15[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:06 linux-srv charon: 15[ENC] parsed CREATE_CHILD_SA response 5 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv charon: 15[IKE] CHILD_SA sub-6{65} established with SPIs c1666079_i f60de791_o and TS 10.0.1.0/24 === 10.200.13.0/24
Aug 28 09:41:06 linux-srv vpn: + B.B.B.B 10.200.13.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv charon: 15[IKE] establishing CHILD_SA sub-11{67} reqid 11
Aug 28 09:41:06 linux-srv charon: 15[ENC] generating CREATE_CHILD_SA request 6 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv charon: 15[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:06 linux-srv charon: 09[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:06 linux-srv charon: 09[ENC] parsed CREATE_CHILD_SA response 6 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv charon: 09[IKE] CHILD_SA sub-11{67} established with SPIs caf231a5_i c33c0411_o and TS 10.0.1.0/24 === 10.200.100.0/24
Aug 28 09:41:06 linux-srv vpn: + B.B.B.B 10.200.100.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv charon: 09[IKE] establishing CHILD_SA sub-10{68} reqid 10
Aug 28 09:41:06 linux-srv charon: 09[ENC] generating CREATE_CHILD_SA request 7 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv charon: 09[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:06 linux-srv charon: 11[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:06 linux-srv charon: 11[ENC] parsed CREATE_CHILD_SA response 7 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv charon: 11[IKE] CHILD_SA sub-10{68} established with SPIs ca9b6f7c_i 18a35942_o and TS 10.0.1.0/24 === 10.200.37.0/24
Aug 28 09:41:06 linux-srv vpn: + B.B.B.B 10.200.37.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:06 linux-srv charon: 11[IKE] establishing CHILD_SA sub-2{69} reqid 2
Aug 28 09:41:06 linux-srv strongswan: 05[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Aug 28 09:41:06 linux-srv strongswan: 05[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (332 bytes)
Aug 28 09:41:06 linux-srv strongswan: 08[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (252 bytes)
Aug 28 09:41:06 linux-srv strongswan: 08[ENC] parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Aug 28 09:41:06 linux-srv strongswan: 08[IKE] authentication of 'B.B.B.B' with pre-shared key successful
Aug 28 09:41:06 linux-srv strongswan: 08[IKE] IKE_SA sub-1[2] established between 10.0.1.10[A.A.A.A]...B.B.B.B[B.B.B.B]
Aug 28 09:41:06 linux-srv strongswan: 08[IKE] scheduling reauthentication in 86072s
Aug 28 09:41:06 linux-srv strongswan: 08[IKE] maximum IKE_SA lifetime 86252s
Aug 28 09:41:06 linux-srv strongswan: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 28 09:41:06 linux-srv strongswan: 08[IKE] CHILD_SA sub-8{61} established with SPIs cd8d0370_i 6c2ac70c_o and TS 10.0.1.0/24 === 10.200.21.0/24
Aug 28 09:41:06 linux-srv strongswan: 08[IKE] establishing CHILD_SA sub-15{62} reqid 15
Aug 28 09:41:06 linux-srv strongswan: 08[ENC] generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv strongswan: 08[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:06 linux-srv strongswan: 10[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:06 linux-srv strongswan: 10[ENC] parsed CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv strongswan: 10[IKE] CHILD_SA sub-15{62} established with SPIs c88aa204_i 8417ada4_o and TS 10.0.1.0/24 === 10.200.4.0/24
Aug 28 09:41:06 linux-srv strongswan: 10[IKE] establishing CHILD_SA sub-14{63} reqid 14
Aug 28 09:41:06 linux-srv strongswan: 10[ENC] generating CREATE_CHILD_SA request 3 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv strongswan: 10[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:06 linux-srv strongswan: 07[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:06 linux-srv strongswan: 07[ENC] parsed CREATE_CHILD_SA response 3 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv strongswan: 07[IKE] CHILD_SA sub-14{63} established with SPIs ca3b95ad_i 2ec71bf7_o and TS 10.0.1.0/24 === 192.168.202.0/24
Aug 28 09:41:06 linux-srv strongswan: 07[IKE] establishing CHILD_SA sub-9{64} reqid 9
Aug 28 09:41:06 linux-srv strongswan: 07[ENC] generating CREATE_CHILD_SA request 4 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv strongswan: 07[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:06 linux-srv strongswan: 14[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:06 linux-srv strongswan: 14[ENC] parsed CREATE_CHILD_SA response 4 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv strongswan: 14[IKE] CHILD_SA sub-9{64} established with SPIs ca91697b_i d7563735_o and TS 10.0.1.0/24 === 10.200.23.0/24
Aug 28 09:41:06 linux-srv strongswan: 14[IKE] establishing CHILD_SA sub-6{65} reqid 6
Aug 28 09:41:06 linux-srv strongswan: 14[ENC] generating CREATE_CHILD_SA request 5 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv strongswan: 14[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:06 linux-srv strongswan: 06[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (684 bytes)
Aug 28 09:41:06 linux-srv strongswan: 06[ENC] parsed CREATE_CHILD_SA request 0 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv strongswan: 06[IKE] CHILD_SA sub-3{66} established with SPIs c7cee977_i 3db8adaa_o and TS 10.0.1.0/24 === 10.200.3.0/24
Aug 28 09:41:06 linux-srv strongswan: 06[ENC] generating CREATE_CHILD_SA response 0 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv strongswan: 06[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (348 bytes)
Aug 28 09:41:06 linux-srv strongswan: 15[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:06 linux-srv strongswan: 15[ENC] parsed CREATE_CHILD_SA response 5 [ SA No KE TSi TSr ]
Aug 28 09:41:06 linux-srv strongswan: 15[IKE] CHILD_SA sub-6{65} established with SPIs c1666079_i f60de791_o and TS 10.0.1.0/24 === 10.200.13.0/24
Aug 28 09:41:06 linux-srv strongswan: 15[IKE] establishing CHILD_SA sub-11{67} reqid 11
Aug 28 09:41:06 linux-srv strongswan: 15[ENC] generating CREATE_CHILD_SA request 6 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv strongswan: 15[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:07 linux-srv strongswan: 09[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:07 linux-srv strongswan: 09[ENC] parsed CREATE_CHILD_SA response 6 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv strongswan: 09[IKE] CHILD_SA sub-11{67} established with SPIs caf231a5_i c33c0411_o and TS 10.0.1.0/24 === 10.200.100.0/24
Aug 28 09:41:07 linux-srv strongswan: 09[IKE] establishing CHILD_SA sub-10{68} reqid 10
Aug 28 09:41:07 linux-srv strongswan: 09[ENC] generating CREATE_CHILD_SA request 7 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv strongswan: 09[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:07 linux-srv strongswan: 11[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:07 linux-srv strongswan: 11[ENC] parsed CREATE_CHILD_SA response 7 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv charon: 11[ENC] generating CREATE_CHILD_SA request 8 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv strongswan: 11[IKE] CHILD_SA sub-10{68} established with SPIs ca9b6f7c_i 18a35942_o and TS 10.0.1.0/24 === 10.200.37.0/24
Aug 28 09:41:07 linux-srv strongswan: 11[IKE] establishing CHILD_SA sub-2{69} reqid 2
Aug 28 09:41:07 linux-srv charon: 11[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:07 linux-srv charon: 16[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:07 linux-srv charon: 16[ENC] parsed CREATE_CHILD_SA response 8 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv charon: 16[IKE] CHILD_SA sub-2{69} established with SPIs cecf7f17_i 737517ad_o and TS 10.0.1.0/24 === 10.200.2.0/24
Aug 28 09:41:07 linux-srv vpn: + B.B.B.B 10.200.2.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:07 linux-srv charon: 16[IKE] establishing CHILD_SA sub-5{70} reqid 5
Aug 28 09:41:07 linux-srv charon: 16[ENC] generating CREATE_CHILD_SA request 9 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv charon: 16[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:07 linux-srv charon: 13[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:07 linux-srv charon: 13[ENC] parsed CREATE_CHILD_SA response 9 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv charon: 13[IKE] CHILD_SA sub-5{70} established with SPIs c8c952a9_i 3323cec5_o and TS 10.0.1.0/24 === 10.200.12.0/24
Aug 28 09:41:07 linux-srv vpn: + B.B.B.B 10.200.12.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:07 linux-srv charon: 13[IKE] establishing CHILD_SA sub-12{71} reqid 12
Aug 28 09:41:07 linux-srv charon: 13[ENC] generating CREATE_CHILD_SA request 10 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv charon: 13[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:07 linux-srv charon: 12[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:07 linux-srv charon: 12[ENC] parsed CREATE_CHILD_SA response 10 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv charon: 12[IKE] CHILD_SA sub-12{71} established with SPIs c3b336b2_i 287af89e_o and TS 10.0.1.0/24 === 192.168.196.0/23
Aug 28 09:41:07 linux-srv vpn: + B.B.B.B 192.168.196.0/23 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:07 linux-srv charon: 12[IKE] establishing CHILD_SA sub-3{72} reqid 3
Aug 28 09:41:07 linux-srv charon: 12[ENC] generating CREATE_CHILD_SA request 11 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv charon: 12[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:07 linux-srv charon: 05[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:07 linux-srv charon: 05[ENC] parsed CREATE_CHILD_SA response 11 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv charon: 05[IKE] CHILD_SA sub-3{72} established with SPIs c32bdcfa_i b78fea52_o and TS 10.0.1.0/24 === 10.200.3.0/24
Aug 28 09:41:07 linux-srv vpn: + B.B.B.B 10.200.3.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:07 linux-srv charon: 05[IKE] establishing CHILD_SA sub-4{73} reqid 4
Aug 28 09:41:07 linux-srv charon: 05[ENC] generating CREATE_CHILD_SA request 12 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv charon: 05[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:07 linux-srv charon: 15[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:07 linux-srv charon: 15[ENC] parsed CREATE_CHILD_SA response 12 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv charon: 15[IKE] CHILD_SA sub-4{73} established with SPIs c636a173_i cb661b90_o and TS 10.0.1.0/24 === 10.200.11.0/24
Aug 28 09:41:07 linux-srv vpn: + B.B.B.B 10.200.11.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:07 linux-srv charon: 15[IKE] establishing CHILD_SA sub-1{74} reqid 1
Aug 28 09:41:07 linux-srv charon: 15[ENC] generating CREATE_CHILD_SA request 13 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv charon: 15[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:07 linux-srv charon: 09[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:07 linux-srv charon: 09[ENC] parsed CREATE_CHILD_SA response 13 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv charon: 09[IKE] CHILD_SA sub-1{74} established with SPIs c1bcbaef_i 27268edd_o and TS 10.0.1.0/24 === 10.200.1.0/24
Aug 28 09:41:07 linux-srv vpn: + B.B.B.B 10.200.1.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:07 linux-srv charon: 09[IKE] establishing CHILD_SA sub-13{75} reqid 13
Aug 28 09:41:07 linux-srv charon: 09[ENC] generating CREATE_CHILD_SA request 14 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv charon: 09[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:07 linux-srv charon: 11[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:07 linux-srv charon: 11[ENC] parsed CREATE_CHILD_SA response 14 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv charon: 11[IKE] CHILD_SA sub-13{75} established with SPIs c1f2ee4f_i cdf01df4_o and TS 10.0.1.0/24 === 10.200.200.0/23
Aug 28 09:41:07 linux-srv vpn: + B.B.B.B 10.200.200.0/23 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24
Aug 28 09:41:07 linux-srv charon: 11[IKE] establishing CHILD_SA sub-7{76} reqid 7
Aug 28 09:41:07 linux-srv charon: 11[ENC] generating CREATE_CHILD_SA request 15 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv charon: 11[NET] sending packet: from 10.0.1.10[4500] to B.B.B.B[4500] (444 bytes)
Aug 28 09:41:07 linux-srv charon: 16[NET] received packet: from B.B.B.B[4500] to 10.0.1.10[4500] (380 bytes)
Aug 28 09:41:07 linux-srv charon: 16[ENC] parsed CREATE_CHILD_SA response 15 [ SA No KE TSi TSr ]
Aug 28 09:41:07 linux-srv charon: 16[IKE] CHILD_SA sub-7{76} established with SPIs c1c5028a_i 252a6cb7_o and TS 10.0.1.0/24 === 10.200.14.0/24
Aug 28 09:41:07 linux-srv vpn: + B.B.B.B 10.200.14.0/24 == B.B.B.B -- 10.0.1.10 == 10.0.1.0/24

#3 Updated by Alexis Rapior 12 months ago

So how to prevent this? Is there a way?
Maybe monitor every 30 seconds the connected CHILD_SAs and terminate one of the duplicate using: swanctl -t -C <child_id>? But which one to terminate, the oldest, the newest?

#4 Updated by Tobias Brunner 12 months ago

  • Category changed from charon to configuration

That's a known problem if you combine break-before-make reauthentication with trap policies. There is a short time after the old SA has been terminated and while the new one is established during which no SA is installed inthe kernel. But since the trap policies are still installed, new acquires might get triggered by the kernel if there occurs to be matching traffic at that time, which will create an additional CHILD_SA (which in turn gets recreated during the next reauthentication). To avoid that, either use make-before-break reauthentication (creates the new IKE and CHILD_SAs overlapping) or just use IKE_SA rekeying to replace the keying material without any interruption at all. For more details, refer to ExpiryRekey.

#5 Updated by Alexis Rapior 11 months ago

Thanks for the hint.
I've now set

make_before_break = yes

in charon.conf.
Let's see if the duplication occurs again.

Also available in: Atom PDF