Project

General

Profile

Issue #3440

Duplicate IPSEC SAs keep increasing... like thousands of them!

Added by Scep CAfail 5 months ago. Updated 5 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.3.5
Resolution:

Description

Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial
root@gateway:/etc/strongswan.d# ipsec --version
Linux strongSwan U5.3.5/K4.4.0-178-generic

Hello,

The following tunnel establishes fine and passes traffic just fine. However among the conn1, conn2 and conn3, the IPSEC SAs keep adding up to infinity for conn1 only for some reason. About every 30 seconds, a new SA shows up and the old ones are not cleared.

 conn1{188}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c22f8999_i 266c865c_o
  conn1{188}:  AES_CBC_256/HMAC_SHA2_256_128, 27176 bytes_i, 31082 bytes_o, rekeying in 43 minutes
  conn1{188}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{189}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c259cacb_i 35bac3fe_o
  conn1{189}:  AES_CBC_256/HMAC_SHA2_256_128, 20895 bytes_i, 24086 bytes_o, rekeying in 38 minutes
  conn1{189}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{190}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca383795_i 0da9a015_o
  conn1{190}:  AES_CBC_256/HMAC_SHA2_256_128, 41 bytes_i, 64 bytes_o, rekeying in 40 minutes
  conn1{190}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{191}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c882ffcb_i 902857a5_o
  conn1{191}:  AES_CBC_256/HMAC_SHA2_256_128, 6314 bytes_i, 6960 bytes_o, rekeying in 44 minutes
  conn1{191}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{192}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c95fe2c2_i 449235c4_o
  conn1{192}:  AES_CBC_256/HMAC_SHA2_256_128, 82 bytes_i, 128 bytes_o, rekeying in 44 minutes
  conn1{192}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{193}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb984d2b_i c8120067_o
  conn1{193}:  AES_CBC_256/HMAC_SHA2_256_128, 41 bytes_i, 64 bytes_o, rekeying in 38 minutes
  conn1{193}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{194}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c196218a_i 312118b6_o
  conn1{194}:  AES_CBC_256/HMAC_SHA2_256_128, 16943 bytes_i, 19350 bytes_o, rekeying in 39 minutes
  conn1{194}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{195}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c12a392f_i d30c513e_o
  conn1{195}:  AES_CBC_256/HMAC_SHA2_256_128, 3823 bytes_i, 4644 bytes_o, rekeying in 39 minutes
  conn1{195}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{196}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c75fb1cb_i 07799152_o
  conn1{196}:  AES_CBC_256/HMAC_SHA2_256_128, 6355 bytes_i, 6960 bytes_o, rekeying in 43 minutes
  conn1{196}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{197}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0b82393_i 68e602c9_o
  conn1{197}:  AES_CBC_256/HMAC_SHA2_256_128, 134 bytes_i, 244 bytes_o, rekeying in 42 minutes
  conn1{197}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{198}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c84c1713_i b9e28912_o
  conn1{198}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 47 minutes
  conn1{198}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{199}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0da5eb3_i b2015e98_o
  conn1{199}:  AES_CBC_256/HMAC_SHA2_256_128, 27400 bytes_i, 31266 bytes_o, rekeying in 42 minutes
  conn1{199}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{200}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c77839c3_i 14d6dd5b_o
  conn1{200}:  AES_CBC_256/HMAC_SHA2_256_128, 41 bytes_i, 64 bytes_o, rekeying in 41 minutes
  conn1{200}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{201}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c1ba2e16_i 16d0af62_o
  conn1{201}:  AES_CBC_256/HMAC_SHA2_256_128, 13536 bytes_i, 15376 bytes_o, rekeying in 42 minutes
  conn1{201}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{202}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf8dfd75_i 98c053ea_o
  conn1{202}:  AES_CBC_256/HMAC_SHA2_256_128, 3391 bytes_i, 3958 bytes_o, rekeying in 44 minutes
  conn1{202}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{203}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cdc26f15_i 8b9292a2_o
  conn1{203}:  AES_CBC_256/HMAC_SHA2_256_128, 10312 bytes_i, 11788 bytes_o, rekeying in 45 minutes
  conn1{203}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{204}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c80701bb_i 4944933d_o
  conn1{204}:  AES_CBC_256/HMAC_SHA2_256_128, 16916 bytes_i, 19346 bytes_o, rekeying in 44 minutes
  conn1{204}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{205}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cce9dfc6_i 549c8965_o
  conn1{205}:  AES_CBC_256/HMAC_SHA2_256_128, 10178 bytes_i, 11608 bytes_o, rekeying in 47 minutes
  conn1{205}:   10.178.0.0/16 === 192.168.2.12/32
  conn1{206}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c325ac27_i e8acd9a7_o
  conn1{206}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 48 minutes
  conn1{206}:   10.178.0.0/16 === 192.168.2.12/32

Last time I restarted ipsec there were 16500 entries like above. Following is the config

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn %default
        type=tunnel
        authby=psk
        compress=no
        aggressive=no
        keyexchange=ikev2
        ike=aes256-sha256-ecp384!
        ikelifetime=86400s
        esp=aes256-sha256-modp2048s256!
        dpdaction=hold
        auto=start

conn conn1
        left=x.x.x.x
        leftsubnet=10.178.0.0/16
        right=y.y.y.y
        rightsubnet=192.168.2.12/32

conn conn2
        left=x.x.x.x
        leftsubnet=10.178.0.0/16
        right=y.y.y.y
        rightsubnet=192.168.80.80/32

conn conn3
        left=x.x.x.x
        leftsubnet=10.178.0.0/16
        right=y.y.y.y
        rightsubnet=10.153.2.2/32

Tried without dpdaction=hold and the result was the same. I also attached some logs tho this thread and the "received DELETE for ESP CHILD_SA" shows up every few seconds, which is odd. Any ideas what could the culprit be?

Thanks

charonlogs.txt (23.6 KB) charonlogs.txt Scep CAfail, 08.05.2020 17:48

History

#1 Updated by Tobias Brunner 5 months ago

  • Tracker changed from Bug to Issue
  • Category deleted (charon)
  • Status changed from New to Feedback
  • Start date deleted (08.05.2020)

Using dpdaction=hold (or auto=route) is not a good idea if you have reauthentication enabled (reauth=yes, the default). The version you use is also very old. Provide more logs (in particular from the beginning).

Also available in: Atom PDF