Project

General

Profile

Issue #3087

Duplicate IDs cause client strongswan to fall into a dead cycle

Added by Bin Liu 3 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.8.0
Resolution:
No change required

Description

the clent log:

    13[IKE] IKE_SA tunnel-0[1] established between 10.252.9.8[1laolang@psk]...10.252.9.110[10.252.9.110]
    13[IKE] installing new virtual IP 18.18.18.16
    13[IKE] CHILD_SA tunnel-0{1} established with SPIs c4dde8d7_i c48de2cd_o and TS 18.18.18.16/32 === 0.0.0.0/0
    16[NET] received packet: from 10.252.9.110[500] to 10.252.9.8[500] (80 bytes)
    16[ENC] parsed INFORMATIONAL request 0 [ D ]
    16[IKE] received DELETE for IKE_SA tunnel-0[1]
    16[IKE] deleting IKE_SA tunnel-0[1] between 10.252.9.8[1laolang@psk]...10.252.9.110[10.252.9.110]
    16[IKE] installing new virtual IP 18.18.18.16
    16[IKE] restarting CHILD_SA tunnel-0
    16[IKE] initiating IKE_SA tunnel-0[2] to 10.252.9.110
    16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
    16[NET] sending packet: from 10.252.9.8[500] to 10.252.9.110[500] (780 bytes)
    16[IKE] IKE_SA deleted
    16[ENC] generating INFORMATIONAL response 0 [ ]
    16[NET] sending packet: from 10.252.9.8[500] to 10.252.9.110[500] (80 bytes)
    05[NET] received packet: from 10.252.9.110[500] to 10.252.9.8[500] (627 bytes)
    05[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
    05[IKE] received 2 cert requests for an unknown ca
    05[IKE] authentication of '1laolang@psk' (myself) with pre-shared key
    05[IKE] establishing CHILD_SA tunnel-0{1}
    05[ENC] generating IKE_AUTH request 1 [ IDi AUTH CPRQ(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
    05[NET] sending packet: from 10.252.9.8[500] to 10.252.9.110[500] (384 bytes)
    07[NET] received packet: from 10.252.9.110[500] to 10.252.9.8[500] (240 bytes)
    07[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr ]
    07[IKE] authentication of '10.252.9.110' with pre-shared key successful
    07[IKE] IKE_SA tunnel-0[2] established between 10.252.9.8[1laolang@psk]...10.252.9.110[10.252.9.110]
    07[IKE] installing new virtual IP 18.18.18.16
    07[IKE] CHILD_SA tunnel-0{2} established with SPIs cc4c5c76_i c7ed33b5_o and TS 18.18.18.16/32 === 0.0.0.0/0
    09[NET] received packet: from 10.252.9.110[500] to 10.252.9.8[500] (80 bytes)
    09[ENC] parsed INFORMATIONAL request 0 [ D ]
    09[IKE] received DELETE for IKE_SA tunnel-0[2]
    09[IKE] deleting IKE_SA tunnel-0[2] between 10.252.9.8[1laolang@psk]...10.252.9.110[10.252.9.110]
    09[IKE] installing new virtual IP 18.18.18.16
    09[IKE] restarting CHILD_SA tunnel-0
    09[IKE] initiating IKE_SA tunnel-0[3] to 10.252.9.110
    09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
    09[NET] sending packet: from 10.252.9.8[500] to 10.252.9.110[500] (780 bytes)
    09[IKE] IKE_SA deleted
    09[ENC] generating INFORMATIONAL response 0 [ ]
    09[NET] sending packet: from 10.252.9.8[500] to 10.252.9.110[500] (80 bytes)
    10[NET] received packet: from 10.252.9.110[500] to 10.252.9.8[500] (627 bytes)
    10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
    10[IKE] received 2 cert requests for an unknown ca
    10[IKE] authentication of '1laolang@psk' (myself) with pre-shared key
    10[IKE] establishing CHILD_SA tunnel-0{2}
    10[ENC] generating IKE_AUTH request 1 [ IDi AUTH CPRQ(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
    10[NET] sending packet: from 10.252.9.8[500] to 10.252.9.110[500] (384 bytes)
    12[NET] received packet: from 10.252.9.110[500] to 10.252.9.8[500] (240 bytes)
    12[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr ]
    12[IKE] authentication of '10.252.9.110' with pre-shared key successful
    12[IKE] IKE_SA tunnel-0[3] established between 10.252.9.8[1laolang@psk]...10.252.9.110[10.252.9.110]
    12[IKE] installing new virtual IP 18.18.18.16
    12[IKE] CHILD_SA tunnel-0{3} established with SPIs c9173128_i cdb2920c_o and TS 18.18.18.16/32 === 0.0.0.0/0
    14[NET] received packet: from 10.252.9.110[500] to 10.252.9.8[500] (80 bytes)
    14[ENC] parsed INFORMATIONAL request 0 [ D ]
    14[IKE] received DELETE for IKE_SA tunnel-0[3]
    14[IKE] deleting IKE_SA tunnel-0[3] between 10.252.9.8[1laolang@psk]...10.252.9.110[10.252.9.110]
    14[IKE] installing new virtual IP 18.18.18.16
    14[IKE] restarting CHILD_SA tunnel-0

the server log:

        11[CFG] looking for peer configs matching 10.252.9.110[%any]...10.252.1.54[1laolang@psk]
    11[CFG] selected peer config 'laolang-PSK'
    11[IKE] authentication of '1laolang@psk' with pre-shared key successful
    11[CFG] no IDr configured, fall back on IP address
    11[IKE] authentication of '10.252.9.110' (myself) with pre-shared key
    11[IKE] deleting duplicate IKE_SA for peer '1laolang@psk' due to uniqueness policy
    11[IKE] deleting IKE_SA laolang-PSK[369] between 10.252.9.110[10.252.9.110]...10.252.9.9[1laolang@psk]
    11[IKE] sending DELETE for IKE_SA laolang-PSK[369]
    11[ENC] generating INFORMATIONAL request 0 [ D ]
    11[NET] sending packet: from 10.252.9.110[500] to 10.252.9.9[500] (80 bytes)
    11[IKE] IKE_SA laolang-PSK[370] established between 10.252.9.110[10.252.9.110]...10.252.1.54[1laolang@psk]
    11[IKE] peer requested virtual IP 18.18.18.13
    11[CFG] reassigning offline lease to '1laolang@psk'
    11[IKE] assigning virtual IP 18.18.18.13 to peer '1laolang@psk'
    11[IKE] CHILD_SA laolang-PSK{782} established with SPIs c9de0aa2_i ca02ec9a_o and TS 0.0.0.0/0 === 18.18.18.13/32
    11[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr ]
    11[NET] sending packet: from 10.252.9.110[500] to 10.252.1.54[500] (240 bytes)
    06[NET] received packet: from 10.252.9.9[500] to 10.252.9.110[500] (80 bytes)
    08[NET] received packet: from 10.252.9.9[500] to 10.252.9.110[500] (780 bytes)
    06[ENC] parsed INFORMATIONAL response 0 [ ]
    06[IKE] IKE_SA deleted
    08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
    08[IKE] 10.252.9.9 is initiating an IKE_SA
    06[CFG] lease 18.18.18.15 by '1laolang@psk' went offline
    08[IKE] sending cert request for "C=CD, O=BTI, CN=Sub-CA" 
    08[IKE] sending cert request for "CN=Test-RootCA" 
    08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
    08[NET] sending packet: from 10.252.9.110[500] to 10.252.9.9[500] (627 bytes)
    14[NET] received packet: from 10.252.9.9[500] to 10.252.9.110[500] (416 bytes)
    14[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH CPRQ(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
    14[IKE] received cert request for "CN=Test-RootCA" 
    14[CFG] looking for peer configs matching 10.252.9.110[%any]...10.252.9.9[1laolang@psk]
    14[CFG] selected peer config 'laolang-PSK'
    14[IKE] authentication of '1laolang@psk' with pre-shared key successful
    14[CFG] no IDr configured, fall back on IP address
    14[IKE] authentication of '10.252.9.110' (myself) with pre-shared key
    14[IKE] deleting duplicate IKE_SA for peer '1laolang@psk' due to uniqueness policy
    14[IKE] deleting IKE_SA laolang-PSK[370] between 10.252.9.110[10.252.9.110]...10.252.1.54[1laolang@psk]
    14[IKE] sending DELETE for IKE_SA laolang-PSK[370]
    14[ENC] generating INFORMATIONAL request 0 [ D ]
    14[NET] sending packet: from 10.252.9.110[500] to 10.252.1.54[500] (80 bytes)
    14[IKE] IKE_SA laolang-PSK[371] established between 10.252.9.110[10.252.9.110]...10.252.9.9[1laolang@psk]
    14[IKE] peer requested virtual IP 18.18.18.15
    14[CFG] reassigning offline lease to '1laolang@psk'
    14[IKE] assigning virtual IP 18.18.18.15 to peer '1laolang@psk'
    14[IKE] CHILD_SA laolang-PSK{783} established with SPIs c03eef2d_i c6ad26f9_o and TS 0.0.0.0/0 === 18.18.18.15/32
    14[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr ]
    14[NET] sending packet: from 10.252.9.110[500] to 10.252.9.9[500] (240 bytes)
    07[NET] received packet: from 10.252.1.54[500] to 10.252.9.110[500] (780 bytes)
    07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
    07[IKE] 10.252.1.54 is initiating an IKE_SA
    15[NET] received packet: from 10.252.1.54[500] to 10.252.9.110[500] (80 bytes)
    15[ENC] parsed INFORMATIONAL response 0 [ ]
    15[IKE] IKE_SA deleted
    15[CFG] lease 18.18.18.13 by '1laolang@psk' went offline
    07[IKE] sending cert request for "C=CD, O=BTI, CN=Sub-CA" 
    07[IKE] sending cert request for "CN=Test-RootCA" 
    07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
    07[NET] sending packet: from 10.252.9.110[500] to 10.252.1.54[500] (627 bytes)
    12[NET] received packet: from 10.252.1.54[500] to 10.252.9.110[500] (416 bytes)
    12[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH CPRQ(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
    12[IKE] received cert request for "CN=Test-RootCA" 
    12[CFG] looking for peer configs matching 10.252.9.110[%any]...10.252.1.54[1laolang@psk]
    12[CFG] selected peer config 'laolang-PSK'
    12[IKE] authentication of '1laolang@psk' with pre-shared key successful
    12[CFG] no IDr configured, fall back on IP address
    12[IKE] authentication of '10.252.9.110' (myself) with pre-shared key
    12[IKE] deleting duplicate IKE_SA for peer '1laolang@psk' due to uniqueness policy
    12[IKE] deleting IKE_SA laolang-PSK[371] between 10.252.9.110[10.252.9.110]...10.252.9.9[1laolang@psk]
    12[IKE] sending DELETE for IKE_SA laolang-PSK[371]

This situation can take up a lot of CPU resources.How can strongswan not repeat attempts to establish connections when ID conflicts cannot be avoided?

History

#1 Updated by Tobias Brunner 3 months ago

  • Description updated (diff)
  • Category set to configuration
  • Status changed from New to Feedback

Don't combine a uniqueness policy on the server with close_action=start on the client, that will obviously cause a loop if two clients connect with the same identity. Change either or both settings.

#2 Updated by Bin Liu 3 months ago

Got it!Thanks.

#3 Updated by Tobias Brunner 3 months ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF