Project

General

Profile

Bug #2610

Updated by Tobias Brunner about 4 years ago

Hi

GW-A <-------Tunnel ---------> GW-B
40.1 40.2

I established host-host tunnel mode between two gateways and setup works fine initially.
Option 1 : Add make_before_break=yes in strongswan.conf
Option 2 : Add "mark_in= %unique" option in GW-A in ipsec.conf

When used only either of the options above, setup works fine as expected.
But when used both the options, reauthentication fails with below error

<pre>
charon: 12[CFG] unable to install policy 40.0.0.1/32 === 40.0.0.2/32 out for reqid 2, the same policy for reqid 1 exists
charon: 12[CFG] unable to install policy 40.0.0.1/32 === 40.0.0.2/32 out for reqid 2, the same policy for reqid 1 exists
charon: 12[IKE] unable to install IPsec policies (SPD) in kernel
</pre>


Can someone please let me know what could be missing here in the configuration.
Below are the config files used.

GW-A ipsec.conf
-----------------

<pre>
# cat /etc/ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1

leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftfirewall=yes
rightid=@sun.strongswan.org

conn h1
left=40.0.0.1
leftsubnet=40.0.0.1/32
right=40.0.0.2
rightsubnet=40.0.0.2/32
auto=add
type=tunnel
mark_in = %unique
</pre>

#

GW-A strongswan.conf
--------------------
<pre>
# cat /etc/strongswan.conf
# /etc/strongswan.conf - strongSwan configuration file

charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici connmark
make_before_break=yes
}
</pre> #

GW-B ipsec.conf
----------------
<pre>
config setup

conn %default
ikelifetime=4m
keylife=2m
rekeymargin=30s
keyingtries=1
keyexchange=ikev2
mobike=no
esp=aes128-sha1

conn sun
leftcert=sunCert.pem
leftid=@sun.strongswan.org
auto=add
type=tunnel
lefthostaccess=yes
leftfirewall=yes
left=40.0.0.2
leftsubnet=40.0.0.2/32

conn h1
rightid=@moon.strongswan.org
right=40.0.0.1
rightsubnet=40.0.0.1/32
also=sun
</pre>


#

GW-B strongswan.conf
---------------------
<pre>
cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
charon {
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation pubkey curve25519 gmp curl kernel-netlink socket-default updown stroke connmark
make_before_break=yes
}
</pre>

<pre>
#

root@Debian:~#
root@Debian:~#
root@Debian:~#
root@Debian:~#
ipsec start
Starting strongSwan 5.6.1 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for charon.
!! This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
root@Debian:~# Apr 3 11:35:23 Debian charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.1, Linux 4.9.30, x86_64)
Apr 3 11:35:23 Debian charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Apr 3 11:35:23 Debian charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Apr 3 11:35:23 Debian charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Apr 3 11:35:23 Debian charon: 00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: No such file or directory
Apr 3 11:35:23 Debian charon: 00[CFG] reading directory failed
Apr 3 11:35:23 Debian charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Apr 3 11:35:23 Debian charon: 00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: No such file or directory
Apr 3 11:35:23 Debian charon: 00[CFG] reading directory failed
Apr 3 11:35:23 Debian charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Apr 3 11:35:23 Debian charon: 00[LIB] opening directory '/etc/ipsec.d/acerts' failed: No such file or directory
Apr 3 11:35:23 Debian charon: 00[CFG] reading directory failed
Apr 3 11:35:23 Debian charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Apr 3 11:35:23 Debian charon: 00[LIB] opening directory '/etc/ipsec.d/crls' failed: No such file or directory
Apr 3 11:35:23 Debian charon: 00[CFG] reading directory failed
Apr 3 11:35:23 Debian charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Apr 3 11:35:23 Debian charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Apr 3 11:35:23 Debian charon: 00[LIB] loaded plugins: charon sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce kernel-netlink socket-default updown stroke vici connmark
Apr 3 11:35:23 Debian charon: 00[JOB] spawning 16 worker threads
Apr 3 11:35:23 Debian charon: 05[CFG] received stroke: add connection 'h1'
Apr 3 11:35:23 Debian charon: 05[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Apr 3 11:35:23 Debian charon: 05[CFG] added configuration 'h1'

root@Debian:~# Apr 3 11:35:28 Debian charon: 07[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (344 bytes)
Apr 3 11:35:28 Debian charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 3 11:35:28 Debian charon: 07[IKE] 40.0.0.2 is initiating an IKE_SA
Apr 3 11:35:28 Debian charon: 07[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Apr 3 11:35:28 Debian charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Apr 3 11:35:28 Debian charon: 07[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (265 bytes)
Apr 3 11:35:28 Debian charon: 08[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (1252 bytes)
Apr 3 11:35:28 Debian charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
Apr 3 11:35:28 Debian charon: 08[ENC] received fragment #1 of 2, waiting for complete IKE message
Apr 3 11:35:28 Debian charon: 09[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (532 bytes)
Apr 3 11:35:28 Debian charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Apr 3 11:35:28 Debian charon: 09[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Apr 3 11:35:28 Debian charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr 3 11:35:28 Debian charon: 09[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Apr 3 11:35:28 Debian charon: 09[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Apr 3 11:35:28 Debian charon: 09[CFG] looking for peer configs matching 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
Apr 3 11:35:28 Debian charon: 09[CFG] selected peer config 'h1'
Apr 3 11:35:28 Debian charon: 09[CFG] using certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Apr 3 11:35:28 Debian charon: 09[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Apr 3 11:35:28 Debian charon: 09[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Apr 3 11:35:28 Debian charon: 09[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
Apr 3 11:35:28 Debian charon: 09[LIB] unable to fetch from http://crl.strongswan.org/strongswan.crl, no capable fetcher found
Apr 3 11:35:28 Debian charon: 09[CFG] crl fetching failed
Apr 3 11:35:28 Debian charon: 09[CFG] certificate status is not available
Apr 3 11:35:28 Debian charon: 09[CFG] reached self-signed root ca with a path length of 0
Apr 3 11:35:28 Debian charon: 09[IKE] authentication of 'sun.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
Apr 3 11:35:28 Debian charon: 09[IKE] authentication of 'moon.strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Apr 3 11:35:28 Debian charon: 09[IKE] IKE_SA h1[1] established between 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
Apr 3 11:35:28 Debian charon: 09[IKE] scheduling reauthentication in 3379s
Apr 3 11:35:28 Debian charon: 09[IKE] maximum IKE_SA lifetime 3559s
Apr 3 11:35:28 Debian charon: 09[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Apr 3 11:35:28 Debian charon: 09[IKE] CHILD_SA h1{1} established with SPIs c23ff77f_i ce91be0d_o and TS 40.0.0.1/32 === 40.0.0.2/32
Apr 3 11:35:28 Debian vpn: + sun.strongswan.org 40.0.0.2 -- 40.0.0.1
Apr 3 11:35:28 Debian charon: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
Apr 3 11:35:28 Debian charon: 09[ENC] splitting IKE message with length of 1552 bytes into 2 fragments
Apr 3 11:35:28 Debian charon: 09[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Apr 3 11:35:28 Debian charon: 09[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Apr 3 11:35:28 Debian charon: 09[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (1252 bytes)
Apr 3 11:35:28 Debian charon: 09[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (372 bytes)
</pre>


<pre>
root@Debian:~# ip xfrm poliocy
Usage: ip xfrm XFRM-OBJECT { COMMAND | help }
where XFRM-OBJECT := state | policy | monitor
root@Debian:~# ip xfrm policy
src 40.0.0.1/32 dst 40.0.0.2/32
dir out priority 367231 ptype main
tmpl src 40.0.0.1 dst 40.0.0.2
proto esp spi 0xce91be0d reqid 1 mode tunnel
src 40.0.0.2/32 dst 40.0.0.1/32
dir fwd priority 367231 ptype main
mark 0x1/0xffffffff
tmpl src 40.0.0.2 dst 40.0.0.1
proto esp reqid 1 mode tunnel
src 40.0.0.2/32 dst 40.0.0.1/32
dir in priority 367231 ptype main
mark 0x1/0xffffffff
tmpl src 40.0.0.2 dst 40.0.0.1
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
root@Debian:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.1, Linux 4.9.30, x86_64):
uptime: 34 seconds, since Apr 03 11:35:22 2018
malloc: sbrk 1757184, mmap 0, used 276768, free 1480416
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce kernel-netlink socket-default updown stroke vici connmark
Listening IP addresses:
10.161.6.117
40.0.0.1
Connections:
h1: 40.0.0.1...40.0.0.2 IKEv1/2
h1: local: [moon.strongswan.org] uses public key authentication
h1: cert: "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
h1: remote: [sun.strongswan.org] uses public key authentication
h1: child: 40.0.0.1/32 === 40.0.0.2/32 TUNNEL
Security Associations (1 up, 0 connecting):
h1[1]: ESTABLISHED 29 seconds ago, 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
h1[1]: IKEv2 SPIs: ba1f561bc7de8223_i 0e0a5553fcaf51c3_r*, public key reauthentication in 55 minutes
h1[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
h1{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c23ff77f_i ce91be0d_o
h1{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 15 minutes
h1{1}: 40.0.0.1/32 === 40.0.0.2/32
root@Debian:~#
root@Debian:~#
root@Debian:~#
root@Debian:~#
root@Debian:~# Apr 3 11:36:44 Debian charon: 14[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (304 bytes)
Apr 3 11:36:44 Debian charon: 14[ENC] parsed CREATE_CHILD_SA request 2 [ N(REKEY_SA) SA No TSi TSr ]
Apr 3 11:36:44 Debian charon: 14[IKE] inbound CHILD_SA h1{2} established with SPIs caf4a366_i cc46699a_o and TS 40.0.0.1/32 === 40.0.0.2/32
Apr 3 11:36:44 Debian charon: 14[ENC] generating CREATE_CHILD_SA response 2 [ SA No TSi TSr ]
Apr 3 11:36:44 Debian charon: 14[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (208 bytes)
Apr 3 11:36:44 Debian charon: 15[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (80 bytes)
Apr 3 11:36:44 Debian charon: 15[ENC] parsed INFORMATIONAL request 3 [ D ]
Apr 3 11:36:44 Debian charon: 15[IKE] received DELETE for ESP CHILD_SA with SPI ce91be0d
Apr 3 11:36:44 Debian charon: 15[IKE] closing CHILD_SA h1{1} with SPIs c23ff77f_i (0 bytes) ce91be0d_o (0 bytes) and TS 40.0.0.1/32 === 40.0.0.2/32
Apr 3 11:36:44 Debian charon: 15[IKE] sending DELETE for ESP CHILD_SA with SPI c23ff77f
Apr 3 11:36:44 Debian charon: 15[IKE] CHILD_SA closed
Apr 3 11:36:44 Debian charon: 15[IKE] outbound CHILD_SA h1{2} established with SPIs caf4a366_i cc46699a_o and TS 40.0.0.1/32 === 40.0.0.2/32
Apr 3 11:36:44 Debian charon: 15[ENC] generating INFORMATIONAL response 3 [ D ]
Apr 3 11:36:44 Debian charon: 15[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (80 bytes)

root@Debian:~#
root@Debian:~#
root@Debian:~#
root@Debian:~# ip xfrm policy
src 40.0.0.1/32 dst 40.0.0.2/32
dir out priority 367231 ptype main
tmpl src 40.0.0.1 dst 40.0.0.2
proto esp spi 0xcc46699a reqid 1 mode tunnel
src 40.0.0.2/32 dst 40.0.0.1/32
dir fwd priority 367231 ptype main
mark 0x1/0xffffffff
tmpl src 40.0.0.2 dst 40.0.0.1
proto esp reqid 1 mode tunnel
src 40.0.0.2/32 dst 40.0.0.1/32
dir in priority 367231 ptype main
mark 0x1/0xffffffff
tmpl src 40.0.0.2 dst 40.0.0.1
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
root@Debian:~#
root@Debian:~#
root@Debian:~#
root@Debian:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.1, Linux 4.9.30, x86_64):
uptime: 109 seconds, since Apr 03 11:35:23 2018
malloc: sbrk 2297856, mmap 0, used 283232, free 2014624
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce kernel-netlink socket-default updown stroke vici connmark
Listening IP addresses:
10.161.6.117
40.0.0.1
Connections:
h1: 40.0.0.1...40.0.0.2 IKEv1/2
h1: local: [moon.strongswan.org] uses public key authentication
h1: cert: "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
h1: remote: [sun.strongswan.org] uses public key authentication
h1: child: 40.0.0.1/32 === 40.0.0.2/32 TUNNEL
Security Associations (1 up, 0 connecting):
h1[1]: ESTABLISHED 104 seconds ago, 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
h1[1]: IKEv2 SPIs: ba1f561bc7de8223_i 0e0a5553fcaf51c3_r*, public key reauthentication in 54 minutes
h1[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
h1{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: caf4a366_i cc46699a_o
h1{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 13 minutes
h1{2}: 40.0.0.1/32 === 40.0.0.2/32
root@Debian:~#
root@Debian:~#
root@Debian:~#
root@Debian:~# Apr 3 11:37:59 Debian charon: 07[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (304 bytes)
Apr 3 11:37:59 Debian charon: 07[ENC] parsed CREATE_CHILD_SA request 4 [ N(REKEY_SA) SA No TSi TSr ]
Apr 3 11:37:59 Debian charon: 07[IKE] inbound CHILD_SA h1{3} established with SPIs cc7d4ff1_i c198d4d8_o and TS 40.0.0.1/32 === 40.0.0.2/32
Apr 3 11:37:59 Debian charon: 07[ENC] generating CREATE_CHILD_SA response 4 [ SA No TSi TSr ]
Apr 3 11:37:59 Debian charon: 07[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (208 bytes)
Apr 3 11:37:59 Debian charon: 08[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (80 bytes)
Apr 3 11:37:59 Debian charon: 08[ENC] parsed INFORMATIONAL request 5 [ D ]
Apr 3 11:37:59 Debian charon: 08[IKE] received DELETE for ESP CHILD_SA with SPI cc46699a
Apr 3 11:37:59 Debian charon: 08[IKE] closing CHILD_SA h1{2} with SPIs caf4a366_i (0 bytes) cc46699a_o (0 bytes) and TS 40.0.0.1/32 === 40.0.0.2/32
Apr 3 11:37:59 Debian charon: 08[IKE] sending DELETE for ESP CHILD_SA with SPI caf4a366
Apr 3 11:37:59 Debian charon: 08[IKE] CHILD_SA closed
Apr 3 11:37:59 Debian charon: 08[IKE] outbound CHILD_SA h1{3} established with SPIs cc7d4ff1_i c198d4d8_o and TS 40.0.0.1/32 === 40.0.0.2/32
Apr 3 11:37:59 Debian charon: 08[ENC] generating INFORMATIONAL response 5 [ D ]
Apr 3 11:37:59 Debian charon: 08[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (80 bytes)

root@Debian:~#
root@Debian:~#
root@Debian:~#
root@Debian:~# ip xApr 3 11:38:39 Debian charon: 09[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (344 bytes)
Apr 3 11:38:39 Debian charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 3 11:38:39 Debian charon: 09[IKE] 40.0.0.2 is initiating an IKE_SA
Apr 3 11:38:39 Debian charon: 09[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Apr 3 11:38:39 Debian charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Apr 3 11:38:39 Debian charon: 09[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (265 bytes)
Apr 3 11:38:39 Debian charon: 11[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (532 bytes)
Apr 3 11:38:39 Debian charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Apr 3 11:38:39 Debian charon: 11[ENC] received fragment #2 of 2, waiting for complete IKE message
Apr 3 11:38:39 Debian charon: 12[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (1252 bytes)
Apr 3 11:38:39 Debian charon: 12[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
fApr 3 11:38:39 Debian charon: 12[ENC] received fragment #1 of 2, reassembling fragmented IKE message
Apr 3 11:38:39 Debian charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr 3 11:38:39 Debian charon: 12[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Apr 3 11:38:39 Debian charon: 12[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Apr 3 11:38:39 Debian charon: 12[CFG] looking for peer configs matching 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
Apr 3 11:38:39 Debian charon: 12[CFG] selected peer config 'h1'
Apr 3 11:38:39 Debian charon: 12[CFG] using certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Apr 3 11:38:39 Debian charon: 12[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Apr 3 11:38:39 Debian charon: 12[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Apr 3 11:38:39 Debian charon: 12[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
Apr 3 11:38:39 Debian charon: 12[LIB] unable to fetch from http://crl.strongswan.org/strongswan.crl, no capable fetcher found
Apr 3 11:38:39 Debian charon: 12[CFG] crl fetching failed
Apr 3 11:38:39 Debian charon: 12[CFG] certificate status is not available
Apr 3 11:38:39 Debian charon: 12[CFG] reached self-signed root ca with a path length of 0
Apr 3 11:38:39 Debian charon: 12[IKE] authentication of 'sun.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
Apr 3 11:38:39 Debian charon: 12[IKE] authentication of 'moon.strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Apr 3 11:38:39 Debian charon: 12[IKE] IKE_SA h1[2] established between 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
Apr 3 11:38:39 Debian charon: 12[IKE] scheduling reauthentication in 3355s
Apr 3 11:38:39 Debian charon: 12[IKE] maximum IKE_SA lifetime 3535s
Apr 3 11:38:39 Debian charon: 12[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Apr 3 11:38:39 Debian charon: 12[CFG] unable to install policy 40.0.0.1/32 === 40.0.0.2/32 out for reqid 2, the same policy for reqid 1 exists
Apr 3 11:38:39 Debian charon: 12[CFG] unable to install policy 40.0.0.1/32 === 40.0.0.2/32 out for reqid 2, the same policy for reqid 1 exists
Apr 3 11:38:39 Debian charon: 12[IKE] unable to install IPsec policies (SPD) in kernel
Apr 3 11:38:39 Debian charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA
Apr 3 11:38:39 Debian charon: 12[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]
Apr 3 11:38:39 Debian charon: 12[ENC] splitting IKE message with length of 1472 bytes into 2 fragments
Apr 3 11:38:39 Debian charon: 12[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Apr 3 11:38:39 Debian charon: 12[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Apr 3 11:38:39 Debian charon: 12[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (1252 bytes)
Apr 3 11:38:39 Debian charon: 12[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (292 bytes)
Apr 3 11:38:39 Debian charon: 04[NET] received packet: from 40.0.0.2[500] to 40.0.0.1[500] (80 bytes)
Apr 3 11:38:39 Debian charon: 04[ENC] parsed INFORMATIONAL request 6 [ D ]
Apr 3 11:38:39 Debian charon: 04[IKE] received DELETE for IKE_SA h1[1]
Apr 3 11:38:39 Debian charon: 04[IKE] deleting IKE_SA h1[1] between 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
Apr 3 11:38:39 Debian charon: 04[IKE] IKE_SA deleted
Apr 3 11:38:39 Debian vpn: - sun.strongswan.org 40.0.0.2 -- 40.0.0.1
Apr 3 11:38:39 Debian charon: 04[ENC] generating INFORMATIONAL response 6 [ ]
Apr 3 11:38:39 Debian charon: 04[NET] sending packet: from 40.0.0.1[500] to 40.0.0.2[500] (80 bytes)
rm policy
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
root@Debian:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.1, Linux 4.9.30, x86_64):
uptime: 3 minutes, since Apr 03 11:35:23 2018
malloc: sbrk 2433024, mmap 0, used 284672, free 2148352
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
loaded plugins: charon sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce kernel-netlink socket-default updown stroke vici connmark
Listening IP addresses:
10.161.6.117
40.0.0.1
Connections:
h1: 40.0.0.1...40.0.0.2 IKEv1/2
h1: local: [moon.strongswan.org] uses public key authentication
h1: cert: "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
h1: remote: [sun.strongswan.org] uses public key authentication
h1: child: 40.0.0.1/32 === 40.0.0.2/32 TUNNEL
Security Associations (1 up, 0 connecting):
h1[2]: ESTABLISHED 10 seconds ago, 40.0.0.1[moon.strongswan.org]...40.0.0.2[sun.strongswan.org]
h1[2]: IKEv2 SPIs: 5e5d72a1af22e950_i 5dc564b9ef72fbf3_r*, public key reauthentication in 55 minutes
h1[2]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
root@Debian:~#
root@Debian:~#
</pre>



Back