Project

General

Profile

Issue #923

MOBIKE not working on HA cluster

Added by Peter Whisker over 5 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
charon
Affected version:
5.1.2
Resolution:

Description

Hi

I have been testing MOBIKE and NAT-T in a HA scenario. I am not having any problems with NAT-T:

Apr 2 15:21:40 IrisP-L-2-1 charon: 15[KNL] NAT mappings of ESP CHILD_SA with SPI c620f123 and reqid {3} changed, queuing update job

However, with MOBIKE, there seem to be problems which look like the INFO packet is being processed by the wrong side (I have had some success with MOBIKE in the single server scenario). Again, simply put, do you foresee that there should be issues with HA and MOBIKE or should I carry on trying to make it work.

I change the address below on the client from 172.16.10.1 to 172.16.150.1 at time 15:28:46. It looks like the passive side picks up the MOBIKE INFO packets and throws them away "received packet: from 172.16.150.1:4500 to 10.1.0.1:4500 (76 bytes)". Is there something I can do to get MOBIKE working in a HA cluster?

The HA cluster is behind a NAT (172.16.0.1 -> 10.1.0.1) with static port forwarding of 4500 and 500. The idential setup works if I don't have HA enabled.

Thanks
Peter

Client server: ==========================

Apr 7 15:28:12 IrisP-L-1 charon: 12[IKE] retransmit 2 of request with message ID 0
Apr 7 15:28:12 IrisP-L-1 charon: 12[NET] sending packet: from 172.16.10.1:500 to 172.16.0.1:500 (1308 bytes)
Apr 7 15:28:12 IrisP-L-1 charon: 13[NET] received packet: from 172.16.0.1:500 to 172.16.10.1:500 (312 bytes)
Apr 7 15:28:12 IrisP-L-1 charon: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Apr 7 15:28:12 IrisP-L-1 charon: 13[IKE] remote host is behind NAT
Apr 7 15:28:12 IrisP-L-1 charon: 13[IKE] sending cert request for "C=UK, O=IRIS, CN=IRIS-P CA"
Apr 7 15:28:12 IrisP-L-1 charon: 13[IKE] authentication of 'C=UK, O=IRIS, CN=irisp-l-1' (myself) with RSA signature successful
Apr 7 15:28:12 IrisP-L-1 charon: 13[IKE] establishing CHILD_SA gsgw
Apr 7 15:28:12 IrisP-L-1 charon: 13[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Apr 7 15:28:12 IrisP-L-1 charon: 13[NET] sending packet: from 172.16.10.1:4500 to 172.16.0.1:4500 (716 bytes)
Apr 7 15:28:12 IrisP-L-1 charon: 11[NET] received packet: from 172.16.0.1:4500 to 172.16.10.1:4500 (524 bytes)
Apr 7 15:28:12 IrisP-L-1 charon: 11[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CPRP SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Apr 7 15:28:12 IrisP-L-1 charon: 11[CFG] using trusted ca certificate "C=UK, O=IRIS, CN=IRIS-P CA"
Apr 7 15:28:12 IrisP-L-1 charon: 11[CFG] checking certificate status of "C=UK, O=IRIS, CN=irisp-l-2"
Apr 7 15:28:12 IrisP-L-1 charon: 11[CFG] certificate status is not available
Apr 7 15:28:12 IrisP-L-1 charon: 11[CFG] reached self-signed root ca with a path length of 0
Apr 7 15:28:12 IrisP-L-1 charon: 11[CFG] using trusted certificate "C=UK, O=IRIS, CN=irisp-l-2"
Apr 7 15:28:12 IrisP-L-1 charon: 11[IKE] authentication of 'C=UK, O=IRIS, CN=irisp-l-2' with RSA signature successful
Apr 7 15:28:12 IrisP-L-1 charon: 11[IKE] IKE_SA gsgw1 established between 172.16.10.1[C=UK, O=IRIS, CN=irisp-l-1]...172.16.0.1[C=UK, O=IRIS, CN=irisp-l-2]
Apr 7 15:28:12 IrisP-L-1 charon: 11[IKE] installing DNS server 10.2.0.2 to /etc/resolv.conf
Apr 7 15:28:12 IrisP-L-1 charon: 11[IKE] installing new virtual IP 192.168.0.3
Apr 7 15:28:12 IrisP-L-1 charon: 11[IKE] CHILD_SA gsgw{1} established with SPIs c33daf56_i c1371884_o and TS 192.168.0.3/32 === 10.2.0.0/24
Apr 7 15:28:12 IrisP-L-1 charon: 11[IKE] peer supports MOBIKE
Apr 7 15:28:46 IrisP-L-1 charon: 14[KNL] 172.16.10.1 disappeared from eth1
Apr 7 15:28:46 IrisP-L-1 charon: 11[KNL] 172.16.150.1 appeared on eth1
Apr 7 15:28:46 IrisP-L-1 charon: 15[IKE] old path is not available anymore, try to find another
Apr 7 15:28:46 IrisP-L-1 charon: 15[IKE] looking for a route to 172.16.0.1 ...
Apr 7 15:28:46 IrisP-L-1 charon: 15[IKE] requesting address change using MOBIKE
Apr 7 15:28:46 IrisP-L-1 charon: 15[ENC] generating INFORMATIONAL request 2 [ ]
Apr 7 15:28:46 IrisP-L-1 charon: 15[IKE] checking path 172.16.150.1:4500 - 172.16.0.1:4500
Apr 7 15:28:46 IrisP-L-1 charon: 15[NET] sending packet: from 172.16.150.1:4500 to 172.16.0.1:4500 (76 bytes)
Apr 7 15:28:49 IrisP-L-1 charon: 04[IKE] path probing attempt 1
Apr 7 15:28:49 IrisP-L-1 charon: 04[IKE] checking path 172.16.150.1:4500 - 172.16.0.1:4500
Apr 7 15:28:49 IrisP-L-1 charon: 04[NET] sending packet: from 172.16.150.1:4500 to 172.16.0.1:4500 (76 bytes)
Apr 7 15:28:51 IrisP-L-1 charon: 14[IKE] path probing attempt 2
Apr 7 15:28:51 IrisP-L-1 charon: 14[IKE] checking path 172.16.150.1:4500 - 172.16.0.1:4500
Apr 7 15:28:51 IrisP-L-1 charon: 14[NET] sending packet: from 172.16.150.1:4500 to 172.16.0.1:4500 (76 bytes)
Apr 7 15:28:52 IrisP-L-1 charon: 03[NET] error writing to socket: Invalid argument
Apr 7 15:28:53 IrisP-L-1 charon: 03[NET] error writing to socket: Invalid argument
Apr 7 15:28:54 IrisP-L-1 charon: 10[IKE] path probing attempt 3
Apr 7 15:28:54 IrisP-L-1 charon: 10[IKE] checking path 172.16.150.1:4500 - 172.16.0.1:4500
Apr 7 15:28:54 IrisP-L-1 charon: 10[NET] sending packet: from 172.16.150.1:4500 to 172.16.0.1:4500 (76 bytes)
Apr 7 15:28:56 IrisP-L-1 charon: 13[IKE] path probing attempt 4
Apr 7 15:28:56 IrisP-L-1 charon: 13[IKE] checking path 172.16.150.1:4500 - 172.16.0.1:4500
Apr 7 15:28:56 IrisP-L-1 charon: 13[NET] sending packet: from 172.16.150.1:4500 to 172.16.0.1:4500 (76 bytes)
Apr 7 15:28:59 IrisP-L-1 charon: 13[IKE] path probing attempt 5
Apr 7 15:28:59 IrisP-L-1 charon: 13[IKE] checking path 172.16.150.1:4500 - 172.16.0.1:4500
Apr 7 15:28:59 IrisP-L-1 charon: 13[NET] sending packet: from 172.16.150.1:4500 to 172.16.0.1:4500 (76 bytes)
Apr 7 15:29:01 IrisP-L-1 charon: 14[IKE] path probing attempt 6
Apr 7 15:29:01 IrisP-L-1 charon: 14[IKE] checking path 172.16.150.1:4500 - 172.16.0.1:4500
Apr 7 15:29:01 IrisP-L-1 charon: 14[NET] sending packet: from 172.16.150.1:4500 to 172.16.0.1:4500 (76 bytes)
Apr 7 15:29:04 IrisP-L-1 charon: 04[IKE] path probing attempt 7
Apr 7 15:29:04 IrisP-L-1 charon: 04[IKE] checking path 172.16.150.1:4500 - 172.16.0.1:4500
Apr 7 15:29:04 IrisP-L-1 charon: 04[NET] sending packet: from 172.16.150.1:4500 to 172.16.0.1:4500 (76 bytes)
Apr 7 15:29:06 IrisP-L-1 charon: 14[IKE] path probing attempt 8
Apr 7 15:29:06 IrisP-L-1 charon: 14[IKE] checking path 172.16.150.1:4500 - 172.16.0.1:4500
Apr 7 15:29:06 IrisP-L-1 charon: 14[NET] sending packet: from 172.16.150.1:4500 to 172.16.0.1:4500 (76 bytes)
Apr 7 15:29:09 IrisP-L-1 charon: 13[IKE] path probing attempt 9
Apr 7 15:29:09 IrisP-L-1 charon: 13[IKE] checking path 172.16.150.1:4500 - 172.16.0.1:4500
Apr 7 15:29:09 IrisP-L-1 charon: 13[NET] sending packet: from 172.16.150.1:4500 to 172.16.0.1:4500 (76 bytes)
Apr 7 15:29:09 IrisP-L-1 charon: 03[NET] error writing to socket: Invalid argument
Apr 7 15:29:11 IrisP-L-1 charon: 11[IKE] path probing attempt 10
Apr 7 15:29:11 IrisP-L-1 charon: 11[IKE] checking path 172.16.150.1:4500 - 172.16.0.1:4500
Apr 7 15:29:11 IrisP-L-1 charon: 11[NET] sending packet: from 172.16.150.1:4500 to 172.16.0.1:4500 (76 bytes)
Apr 7 15:29:14 IrisP-L-1 charon: 13[IKE] giving up after 10 path probings
Apr 7 15:29:14 IrisP-L-1 charon: 13[IKE] installing new virtual IP 192.168.0.3
Apr 7 15:29:14 IrisP-L-1 charon: 13[IKE] restarting CHILD_SA gsgw
Apr 7 15:29:14 IrisP-L-1 charon: 13[IKE] initiating IKE_SA gsgw2 to 172.16.0.1
Apr 7 15:29:14 IrisP-L-1 charon: 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Apr 7 15:29:14 IrisP-L-1 charon: 13[NET] sending packet: from 172.16.150.1:500 to 172.16.0.1:500 (1308 bytes)
Apr 7 15:29:14 IrisP-L-1 charon: 13[IKE] removing DNS server 10.2.0.2 from /etc/resolv.conf
Apr 7 15:29:14 IrisP-L-1 charon: 10[NET] received packet: from 172.16.0.1:500 to 172.16.150.1:500 (312 bytes)
Apr 7 15:29:14 IrisP-L-1 charon: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Apr 7 15:29:14 IrisP-L-1 charon: 10[IKE] remote host is behind NAT
Apr 7 15:29:14 IrisP-L-1 charon: 10[IKE] sending cert request for "C=UK, O=IRIS, CN=IRIS-P CA"
Apr 7 15:29:14 IrisP-L-1 charon: 10[IKE] authentication of 'C=UK, O=IRIS, CN=irisp-l-1' (myself) with RSA signature successful
Apr 7 15:29:14 IrisP-L-1 charon: 10[IKE] establishing CHILD_SA gsgw{1}
Apr 7 15:29:14 IrisP-L-1 charon: 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Apr 7 15:29:14 IrisP-L-1 charon: 10[NET] sending packet: from 172.16.150.1:4500 to 172.16.0.1:4500 (732 bytes)
Apr 7 15:29:14 IrisP-L-1 charon: 07[NET] received packet: from 172.16.0.1:4500 to 172.16.150.1:4500 (524 bytes)
Apr 7 15:29:14 IrisP-L-1 charon: 07[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CPRP SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Apr 7 15:29:14 IrisP-L-1 charon: 07[CFG] using trusted ca certificate "C=UK, O=IRIS, CN=IRIS-P CA"
Apr 7 15:29:14 IrisP-L-1 charon: 07[CFG] checking certificate status of "C=UK, O=IRIS, CN=irisp-l-2"
Apr 7 15:29:14 IrisP-L-1 charon: 07[CFG] certificate status is not available
Apr 7 15:29:14 IrisP-L-1 charon: 07[CFG] reached self-signed root ca with a path length of 0
Apr 7 15:29:14 IrisP-L-1 charon: 07[CFG] using trusted certificate "C=UK, O=IRIS, CN=irisp-l-2"
Apr 7 15:29:14 IrisP-L-1 charon: 07[IKE] authentication of 'C=UK, O=IRIS, CN=irisp-l-2' with RSA signature successful
Apr 7 15:29:14 IrisP-L-1 charon: 07[IKE] IKE_SA gsgw2 established between 172.16.150.1[C=UK, O=IRIS, CN=irisp-l-1]...172.16.0.1[C=UK, O=IRIS, CN=irisp-l-2]
Apr 7 15:29:14 IrisP-L-1 charon: 07[IKE] installing DNS server 10.2.0.2 to /etc/resolv.conf
Apr 7 15:29:14 IrisP-L-1 charon: 07[IKE] installing new virtual IP 192.168.0.1
Apr 7 15:29:14 IrisP-L-1 charon: 07[IKE] CHILD_SA gsgw{1} established with SPIs b273b5e0_i ca9eb829_o and TS 192.168.0.1/32 === 10.2.0.0/24
Apr 7 15:29:14 IrisP-L-1 charon: 07[IKE] peer supports MOBIKE
Apr 7 15:29:54 IrisP-L-1 charon: 11[NET] received packet: from 172.16.0.1:4500 to 172.16.150.1:4500 (124 bytes)
Apr 7 15:29:54 IrisP-L-1 charon: 11[ENC] parsed INFORMATIONAL request 0 [ N(NATD_S_IP) N(NATD_D_IP) ]
Apr 7 15:29:54 IrisP-L-1 charon: 11[ENC] generating INFORMATIONAL response 0 [ N(NATD_S_IP) N(NATD_D_IP) ]
Apr 7 15:29:54 IrisP-L-1 charon: 11[NET] sending packet: from 172.16.150.1:4500 to 172.16.0.1:4500 (124 bytes)

HA server 1: ==========================
Apr 7 15:28:12 IrisP-L-2-1 charon: 04[NET] received packet: from 172.16.10.1:500 to 10.1.0.1:500 (1308 bytes)
Apr 7 15:28:12 IrisP-L-2-1 charon: 04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Apr 7 15:28:12 IrisP-L-2-1 charon: 04[IKE] 172.16.10.1 is initiating an IKE_SA
Apr 7 15:28:12 IrisP-L-2-1 charon: 04[IKE] local host is behind NAT, sending keep alives
Apr 7 15:28:12 IrisP-L-2-1 charon: 04[IKE] remote host is behind NAT
Apr 7 15:28:12 IrisP-L-2-1 charon: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Apr 7 15:28:12 IrisP-L-2-1 charon: 04[NET] sending packet: from 10.1.0.1:500 to 172.16.10.1:500 (312 bytes)
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[NET] received packet: from 172.16.10.1:4500 to 10.1.0.1:4500 (716 bytes)
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[IKE] received cert request for "C=UK, O=IRIS, CN=IRIS-P CA"
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[CFG] looking for peer configs matching 10.1.0.1[C=UK, O=IRIS, CN=irisp-l-2]...172.16.10.1[C=UK, O=IRIS, CN=irisp-l-1]
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[CFG] selected peer config 'irisp-l-1'
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[CFG] using trusted ca certificate "C=UK, O=IRIS, CN=IRIS-P CA"
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[CFG] checking certificate status of "C=UK, O=IRIS, CN=irisp-l-1"
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[CFG] certificate status is not available
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[CFG] reached self-signed root ca with a path length of 0
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[CFG] using trusted certificate "C=UK, O=IRIS, CN=irisp-l-1"
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[IKE] authentication of 'C=UK, O=IRIS, CN=irisp-l-1' with RSA signature successful
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[IKE] peer supports MOBIKE
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[IKE] authentication of 'C=UK, O=IRIS, CN=irisp-l-2' (myself) with RSA signature successful
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[IKE] IKE_SA irisp-l-11 established between 10.1.0.1[C=UK, O=IRIS, CN=irisp-l-2]...172.16.10.1[C=UK, O=IRIS, CN=irisp-l-1]
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[IKE] peer requested virtual IP %any
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[CFG] acquired address 192.168.0.3 from HA pool 'asgw'
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[IKE] assigning virtual IP 192.168.0.3 to peer 'C=UK, O=IRIS, CN=irisp-l-1'
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[CFG] handling HA CHILD_SA irisp-l-1{1} 10.2.0.0/24 === 192.168.0.3/32 (segment in: 1*, out: 1*)
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[IKE] CHILD_SA irisp-l-1{1} established with SPIs c1371884_i c33daf56_o and TS 10.2.0.0/24 === 192.168.0.3/32
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Apr 7 15:28:12 IrisP-L-2-1 charon: 08[NET] sending packet: from 10.1.0.1:4500 to 172.16.10.1:4500 (524 bytes)
Apr 7 15:28:58 IrisP-L-2-1 charon: 11[IKE] sending keep alive to 172.16.10.1:4500
Apr 7 15:29:08 IrisP-L-2-1 charon: 05[IKE] sending DPD request
Apr 7 15:29:08 IrisP-L-2-1 charon: 05[ENC] generating INFORMATIONAL request 0 [ N(NATD_S_IP) N(NATD_D_IP) ]
Apr 7 15:29:08 IrisP-L-2-1 charon: 05[NET] sending packet: from 10.1.0.1:4500 to 172.16.10.1:4500 (124 bytes)
Apr 7 15:29:12 IrisP-L-2-1 charon: 08[IKE] retransmit 1 of request with message ID 0
Apr 7 15:29:12 IrisP-L-2-1 charon: 08[NET] sending packet: from 10.1.0.1:4500 to 172.16.10.1:4500 (124 bytes)
Apr 7 15:29:14 IrisP-L-2-1 charon: 14[IKE] local host is behind NAT, sending keep alives
Apr 7 15:29:14 IrisP-L-2-1 charon: 14[IKE] remote host is behind NAT
Apr 7 15:29:14 IrisP-L-2-1 charon: 14[CFG] installed HA passive IKE_SA 'irisp-l-1' 10.1.0.1[C=UK, O=IRIS, CN=irisp-l-2]...172.16.150.1[C=UK, O=IRIS, CN=irisp-l-1]
Apr 7 15:29:14 IrisP-L-2-1 charon: 14[CFG] installed HA CHILD_SA irisp-l-1{2} 10.2.0.0/24 === 192.168.0.1/32 (segment in: 2, out: 2)
Apr 7 15:29:19 IrisP-L-2-1 charon: 06[IKE] retransmit 2 of request with message ID 0
Apr 7 15:29:19 IrisP-L-2-1 charon: 06[NET] sending packet: from 10.1.0.1:4500 to 172.16.10.1:4500 (124 bytes)
Apr 7 15:29:32 IrisP-L-2-1 charon: 08[IKE] retransmit 3 of request with message ID 0
Apr 7 15:29:32 IrisP-L-2-1 charon: 08[NET] sending packet: from 10.1.0.1:4500 to 172.16.10.1:4500 (124 bytes)
Apr 7 15:29:44 IrisP-L-2-1 charon: 06[IKE] sending keep alive to 172.16.150.1:4500

HA server 2: ==========================
Apr 7 15:28:12 IrisP-L-2 charon: 06[IKE] local host is behind NAT, sending keep alives
Apr 7 15:28:12 IrisP-L-2 charon: 06[IKE] remote host is behind NAT
Apr 7 15:28:12 IrisP-L-2 charon: 06[CFG] installed HA passive IKE_SA 'irisp-l-1' 10.1.0.1[C=UK, O=IRIS, CN=irisp-l-2]...172.16.10.1[C=UK, O=IRIS, CN=irisp-l-1]
Apr 7 15:28:12 IrisP-L-2 charon: 06[CFG] installed HA CHILD_SA irisp-l-1{1} 10.2.0.0/24 === 192.168.0.3/32 (segment in: 1, out: 1)
Apr 7 15:28:12 IrisP-L-2 charon: 06[CFG] reserved address 192.168.0.3 in HA pool 'asgw'
Apr 7 15:28:46 IrisP-L-2 charon: 13[NET] received packet: from 172.16.150.1:4500 to 10.1.0.1:4500 (76 bytes)
Apr 7 15:28:49 IrisP-L-2 charon: 13[NET] received packet: from 172.16.150.1:4500 to 10.1.0.1:4500 (76 bytes)
Apr 7 15:28:51 IrisP-L-2 charon: 11[NET] received packet: from 172.16.150.1:4500 to 10.1.0.1:4500 (76 bytes)
Apr 7 15:28:54 IrisP-L-2 charon: 11[NET] received packet: from 172.16.150.1:4500 to 10.1.0.1:4500 (76 bytes)
Apr 7 15:28:54 IrisP-L-2 charon: 10[IKE] sending keep alive to 172.16.10.1:4500
Apr 7 15:28:56 IrisP-L-2 charon: 09[NET] received packet: from 172.16.150.1:4500 to 10.1.0.1:4500 (76 bytes)
Apr 7 15:28:59 IrisP-L-2 charon: 10[NET] received packet: from 172.16.150.1:4500 to 10.1.0.1:4500 (76 bytes)
Apr 7 15:29:01 IrisP-L-2 charon: 11[NET] received packet: from 172.16.150.1:4500 to 10.1.0.1:4500 (76 bytes)
Apr 7 15:29:04 IrisP-L-2 charon: 15[NET] received packet: from 172.16.150.1:4500 to 10.1.0.1:4500 (76 bytes)
Apr 7 15:29:06 IrisP-L-2 charon: 14[NET] received packet: from 172.16.150.1:4500 to 10.1.0.1:4500 (76 bytes)
Apr 7 15:29:09 IrisP-L-2 charon: 10[NET] received packet: from 172.16.150.1:4500 to 10.1.0.1:4500 (76 bytes)
Apr 7 15:29:11 IrisP-L-2 charon: 14[NET] received packet: from 172.16.150.1:4500 to 10.1.0.1:4500 (76 bytes)
Apr 7 15:29:14 IrisP-L-2 charon: 02[NET] received packet: from 172.16.150.1:500 to 10.1.0.1:500 (1308 bytes)
Apr 7 15:29:14 IrisP-L-2 charon: 02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Apr 7 15:29:14 IrisP-L-2 charon: 02[IKE] 172.16.150.1 is initiating an IKE_SA
Apr 7 15:29:14 IrisP-L-2 charon: 02[IKE] local host is behind NAT, sending keep alives
Apr 7 15:29:14 IrisP-L-2 charon: 02[IKE] remote host is behind NAT
Apr 7 15:29:14 IrisP-L-2 charon: 02[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Apr 7 15:29:14 IrisP-L-2 charon: 02[NET] sending packet: from 10.1.0.1:500 to 172.16.150.1:500 (312 bytes)
Apr 7 15:29:14 IrisP-L-2 charon: 09[NET] received packet: from 172.16.150.1:4500 to 10.1.0.1:4500 (732 bytes)
Apr 7 15:29:14 IrisP-L-2 charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Apr 7 15:29:14 IrisP-L-2 charon: 09[IKE] received cert request for "C=UK, O=IRIS, CN=IRIS-P CA"
Apr 7 15:29:14 IrisP-L-2 charon: 09[CFG] looking for peer configs matching 10.1.0.1[C=UK, O=IRIS, CN=irisp-l-2]...172.16.150.1[C=UK, O=IRIS, CN=irisp-l-1]
Apr 7 15:29:14 IrisP-L-2 charon: 09[CFG] selected peer config 'irisp-l-1'
Apr 7 15:29:14 IrisP-L-2 charon: 09[CFG] using trusted ca certificate "C=UK, O=IRIS, CN=IRIS-P CA"
Apr 7 15:29:14 IrisP-L-2 charon: 09[CFG] checking certificate status of "C=UK, O=IRIS, CN=irisp-l-1"
Apr 7 15:29:14 IrisP-L-2 charon: 09[CFG] certificate status is not available
Apr 7 15:29:14 IrisP-L-2 charon: 09[CFG] reached self-signed root ca with a path length of 0
Apr 7 15:29:14 IrisP-L-2 charon: 09[CFG] using trusted certificate "C=UK, O=IRIS, CN=irisp-l-1"
Apr 7 15:29:14 IrisP-L-2 charon: 09[IKE] authentication of 'C=UK, O=IRIS, CN=irisp-l-1' with RSA signature successful
Apr 7 15:29:14 IrisP-L-2 charon: 09[IKE] peer supports MOBIKE
Apr 7 15:29:14 IrisP-L-2 charon: 09[IKE] destroying duplicate IKE_SA for peer 'C=UK, O=IRIS, CN=irisp-l-1', received INITIAL_CONTACT
Apr 7 15:29:14 IrisP-L-2 charon: 09[CFG] released address 192.168.0.3 to HA pool 'asgw'
Apr 7 15:29:14 IrisP-L-2 charon: 09[IKE] authentication of 'C=UK, O=IRIS, CN=irisp-l-2' (myself) with RSA signature successful
Apr 7 15:29:14 IrisP-L-2 charon: 09[IKE] IKE_SA irisp-l-12 established between 10.1.0.1[C=UK, O=IRIS, CN=irisp-l-2]...172.16.150.1[C=UK, O=IRIS, CN=irisp-l-1]
Apr 7 15:29:14 IrisP-L-2 charon: 09[IKE] peer requested virtual IP 192.168.0.3
Apr 7 15:29:14 IrisP-L-2 charon: 09[CFG] acquired address 192.168.0.1 from HA pool 'asgw'
Apr 7 15:29:14 IrisP-L-2 charon: 09[IKE] assigning virtual IP 192.168.0.1 to peer 'C=UK, O=IRIS, CN=irisp-l-1'
Apr 7 15:29:14 IrisP-L-2 charon: 09[CFG] handling HA CHILD_SA irisp-l-1{2} 10.2.0.0/24 === 192.168.0.1/32 (segment in: 2*, out: 2*)
Apr 7 15:29:14 IrisP-L-2 charon: 09[IKE] CHILD_SA irisp-l-1{2} established with SPIs ca9eb829_i b273b5e0_o and TS 10.2.0.0/24 === 192.168.0.1/32
Apr 7 15:29:14 IrisP-L-2 charon: 09[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Apr 7 15:29:14 IrisP-L-2 charon: 09[NET] sending packet: from 10.1.0.1:4500 to 172.16.150.1:4500 (524 bytes)
Apr 7 15:29:44 IrisP-L-2 charon: 02[IKE] sending keep alive to 172.16.150.1:4500

History

#1 Updated by Martin Willi over 5 years ago

Hi Peter,

Most likely there is a synchronization issue when MOBIKE is involved. If the peer changes its address, this affects node responsibility. However, I don't think the HA plugin currently can handle that, so I'd consider MOBIKE not really support in HA mode.

Regards
Martin

Also available in: Atom PDF