[strongSwan] [IKEv2 Mobike] error uninstalling route installed with policy
amysue.z at gmail.com
amysue.z at gmail.com
Thu Aug 21 15:16:12 CEST 2014
Hi all,
I'm using strongswan to do IKEv2 Mobike. The ipsec.conf is
*config setup*
* strictcrlpolicy=no*
* # charonstart=yes*
* # plutostart=no*
*conn %default*
* ikelifetime=28800s*
* keylife=28800s*
* rekeymargin=3m*
* keyingtries=3*
* keyexchange=ikev2*
* ike=3des-sha1-modp1024*
* esp=3des-sha1*
*conn client*
* #left=%any*
* #left=%defaultroute*
* left=12.12.1.201*
* leftsourceip=%config*
* leftcert=client1_cert.pem*
* leftid="/C=CN/ST=SH/O=SNWL/CN=IKEv2_Client1"*
* right=11.11.11.200*
* rightid="/C=CN/ST=SH/O=SNWL/CN=11.11.11.200"*
* rightsubnet=192.168.168.0/24 <http://192.168.168.0/24>*
* auto=add*
left side is a CentOS 5.9 pc, right side is a SonicWall box which support
IKEv2 Mobike.
PC has two interface.
eth1 ip is 12.12.1.201
eth2 ip is 12.12.2.202
SonicWall box wan ip is 11.11.11.200
First PC-eth1 connect to the SonicWall box and get a dynamic ip address
from SonicWall box 172.16.1.20, ping to right subnet 192.168.168.2 pass
The ipsec status is
*Security Associations (1 up, 0 connecting):*
* client[8]: ESTABLISHED 31 seconds ago, 12.12.1.201[C=CN, ST=SH,
O=SNWL, CN=IKEv2_Client1]...11.11.11.200[C=CN, ST=SH, O=SNWL,
CN=11.11.11.200]*
* client{8}: INSTALLED, TUNNEL, ESP SPIs: c6fd4979_i c183bc8c_o*
* client{8}: 172.16.1.20/32 <http://172.16.1.20/32> ===
192.168.168.0/24 <http://192.168.168.0/24> *
The I ifconfig eth1 down, ifup eth2, the detailed commands is
ifup eth2
route add -net 11.11.11.0 netmask 255.255.255.0 gw 12.12.2.101
ifconfig eth1 down
The check ipsec status
*Security Associations (1 up, 0 connecting):*
* client[12]: ESTABLISHED 8 minutes ago, 12.12.2.202[C=CN, ST=SH,
O=SNWL, CN=IKEv2_Client1]...11.11.11.200[C=CN, ST=SH, O=SNWL,
CN=11.11.11.200]*
* client{12}: INSTALLED, TUNNEL, ESP SPIs: c84ed7a1_i 0dbbeb51_o*
* client{12}: 172.16.1.20/32 <http://172.16.1.20/32> ===
192.168.168.0/24 <http://192.168.168.0/24>*
The left side ip has changed from 12.12.1.201 to 12.12.2.202.
But ping to right subnet 192.168.168.2 fail.
I don't konw why ping to right subnet fail. it should be pass.
The charon log is below. There are log I have marked to red. Is this error
cause ping fail?*error uninstalling route installed with policy
192.168.168.0/24 <http://192.168.168.0/24> === 172.16.1.20/32
<http://172.16.1.20/32> fwd*
*Aug 21 18:29:39 03[IKE] initiating IKE_SA client[12] to 11.11.11.200*
*Aug 21 18:29:39 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]*
*Aug 21 18:29:39 03[NET] sending packet: from 12.12.1.201[500] to
11.11.11.200[500] (536 bytes)*
*Aug 21 18:29:39 02[NET] received packet: from 11.11.11.200[500] to
12.12.1.201[500] (337 bytes)*
*Aug 21 18:29:39 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ
N(NATD_S_IP) N(NATD_D_IP) V ]*
*Aug 21 18:29:39 02[ENC] received unknown vendor ID:
2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01*
*Aug 21 18:29:39 02[IKE] received cert request for "C=CN, ST=SH, O=SNWL,
CN=ROOTCA"*
*Aug 21 18:29:39 02[IKE] sending cert request for "C=CN, ST=SH, O=SNWL,
CN=ROOTCA"*
*Aug 21 18:29:39 02[IKE] authentication of 'C=CN, ST=SH, O=SNWL,
CN=IKEv2_Client1' (myself) with RSA signature successful*
*Aug 21 18:29:39 02[IKE] sending end entity cert "C=CN, ST=SH, O=SNWL,
CN=IKEv2_Client1"*
*Aug 21 18:29:39 02[IKE] establishing CHILD_SA client*
*Aug 21 18:29:39 02[ENC] generating IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ IDr AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(EAP_ONLY) ]*
*Aug 21 18:29:39 02[NET] sending packet: from 12.12.1.201[4500] to
11.11.11.200[4500] (1188 bytes)*
*Aug 21 18:29:39 10[NET] received packet: from 11.11.11.200[4500] to
12.12.1.201[4500] (988 bytes)*
*Aug 21 18:29:39 10[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR
DNS) SA TSi TSr N(MOBIKE_SUP) ]*
*Aug 21 18:29:39 10[IKE] received end entity cert "C=CN, ST=SH, O=SNWL,
CN=11.11.11.200"*
*Aug 21 18:29:39 10[CFG] using certificate "C=CN, ST=SH, O=SNWL,
CN=11.11.11.200"*
*Aug 21 18:29:39 10[CFG] using trusted ca certificate "C=CN, ST=SH,
O=SNWL, CN=ROOTCA"*
*Aug 21 18:29:39 10[CFG] checking certificate status of "C=CN, ST=SH,
O=SNWL, CN=11.11.11.200"*
*Aug 21 18:29:39 10[CFG] certificate status is not available*
*Aug 21 18:29:39 10[CFG] reached self-signed root ca with a path length
of 0*
*Aug 21 18:29:39 10[IKE] authentication of 'C=CN, ST=SH, O=SNWL,
CN=11.11.11.200' with RSA signature successful*
*Aug 21 18:29:39 10[IKE] IKE_SA client[12] established between
12.12.1.201[C=CN, ST=SH, O=SNWL, CN=IKEv2_Client1]...11.11.11.200[C=CN,
ST=SH, O=SNWL, CN=11.11.11.200]*
*Aug 21 18:29:39 10[IKE] scheduling reauthentication in 28502s*
*Aug 21 18:29:39 10[IKE] maximum IKE_SA lifetime 28682s*
*Aug 21 18:29:39 10[IKE] installing DNS server 11.11.11.111 to
/etc/resolv.conf*
*Aug 21 18:29:39 10[IKE] installing new virtual IP 172.16.1.20*
*Aug 21 18:29:39 10[IKE] CHILD_SA client{12} established with SPIs
c84ed7a1_i 0dbbeb51_o and TS 172.16.1.20/32 <http://172.16.1.20/32> ===
192.168.168.0/24 <http://192.168.168.0/24>*
*Aug 21 18:29:39 10[IKE] peer supports MOBIKE*
*Aug 21 18:29:56 07[KNL] interface eth2 activated*
*Aug 21 18:29:56 04[IKE] sending address list update using MOBIKE*
*Aug 21 18:29:56 04[ENC] generating INFORMATIONAL request 2 [ N(ADD_4_ADDR)
]*
*Aug 21 18:29:56 04[NET] sending packet: from 12.12.1.201[4500] to
11.11.11.200[4500] (68 bytes)*
*Aug 21 18:29:56 11[NET] received packet: from 11.11.11.200[4500] to
12.12.1.201[4500] (60 bytes)*
*Aug 21 18:29:56 11[ENC] parsed INFORMATIONAL response 2 [ ]*
*Aug 21 18:29:57 08[KNL] 12.12.2.202 appeared on eth2*
*Aug 21 18:29:57 02[IKE] sending address list update using MOBIKE*
*Aug 21 18:29:57 02[ENC] generating INFORMATIONAL request 3 [ N(ADD_4_ADDR)
N(ADD_4_ADDR) ]*
*Aug 21 18:29:57 02[NET] sending packet: from 12.12.1.201[4500] to
11.11.11.200[4500] (84 bytes)*
*Aug 21 18:29:57 05[NET] received packet: from 11.11.11.200[4500] to
12.12.1.201[4500] (60 bytes)*
*Aug 21 18:29:57 05[ENC] parsed INFORMATIONAL response 3 [ ]*
*Aug 21 18:30:19 09[KNL] interface eth1 deactivated*
*Aug 21 18:30:19 06[IKE] old path is not available anymore, try to find
another*
*Aug 21 18:30:19 06[IKE] looking for a route to 11.11.11.200 ...*
*Aug 21 18:30:19 06[IKE] requesting address change using MOBIKE*
*Aug 21 18:30:19 06[ENC] generating INFORMATIONAL request 4 [ ]*
*Aug 21 18:30:19 06[IKE] checking path 12.12.2.202[4500] -
11.11.11.200[4500]*
*Aug 21 18:30:19 06[NET] sending packet: from 12.12.2.202[4500] to
11.11.11.200[4500] (60 bytes)*
*Aug 21 18:30:19 05[NET] received packet: from 11.11.11.200[4500] to
12.12.2.202[4500] (60 bytes)*
*Aug 21 18:30:19 05[ENC] parsed INFORMATIONAL response 4 [ ]*
*Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry
with SPI c84ed7a1*
*Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry
with SPI 0dbbeb51*
*Aug 21 18:30:19 05[KNL] error uninstalling route installed with policy
192.168.168.0/24 <http://192.168.168.0/24> === 172.16.1.20/32
<http://172.16.1.20/32> fwd*
*Aug 21 18:30:19 05[NET] sending packet: from 12.12.2.202[4500] to
11.11.11.200[4500] (156 bytes)*
*Aug 21 18:30:19 09[NET] received packet: from 11.11.11.200[4500] to
12.12.2.202[4500] (140 bytes)*
*Aug 21 18:30:19 09[ENC] parsed INFORMATIONAL response 5 [ N(NATD_S_IP)
N(NATD_D_IP) N(COOKIE2) ]*
Thanks
Amy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140821/21f2441c/attachment-0001.html>
More information about the Users
mailing list