Hi all,<br> I found the root cause of the problem. When we stop IPSec service in Cisco, its sending Informational exchange with delete payload and message ID as 1. Strongswan is considering it as a AUTH message and replying with AUTH response.<br>
<br>I tested the same scenario with Strongswan, but strongswan is sending Informational exchange with delete payload and message ID as 2. <br><br>I want to understand the significance of Message ID here. Please share your ideas on this.<br>
<br>Regards,<br>Cross<br><br><div class="gmail_quote">On Wed, May 9, 2012 at 12:09 PM, Anonymous cross <span dir="ltr"><<a href="mailto:anonymouscross@gmail.com" target="_blank">anonymouscross@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi all,<br>
A small correction in the below conf.<br>
keyexchange=ikev2<br>For IKEv1 its working fine.<br><br>Regards,<br>Cross<div class="HOEnZb"><div class="h5"><br><br><div class="gmail_quote">On Wed, May 9, 2012 at 1:11 AM, Anonymous cross <span dir="ltr"><<a href="mailto:anonymouscross@gmail.com" target="_blank">anonymouscross@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Friends,<br> We formed a site-site IPSec tunnel between Cisco and Strongswan using IKEv2<br><br>
Router1(Ciso) ------------- Router2(Strongswan)<br><br>I stopped IPsec service in Cisco and its sending delete payload to Strongswan. But Strongswan is not deleting the SAD and SPD properly, it lingers in Kernel. Please help me out on this.<br>
Please find the configurations and logs below<br><br>ipsec.conf<br>___________<br>config setup<br> plutostart=yes<br> plutodebug=all<br> charonstart=yes<br> charondebug=all<br> nat_traversal=yes<br>
crlcheckinterval=10m<br> strictcrlpolicy=no<br><br>conn %default<br> ikelifetime=15m<br> keylife=2m<br> keyingtries=1<br><br clear="all">conn fqdn_vr<br> type=tunnel<br> keyexchange=ikev1<br>
left=172.31.114.227<br> right=%any<br> rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br> rightid=<a href="mailto:divya@cas.com" target="_blank">divya@cas.com</a><br> auth=esp<br> authby=secret<br>
pfs=no<br> rekey=no<br>
auto=add<br><br><b>Logs</b><br>++++++<br><b>/var/log/messages</b><br>___________<br>May 9 00:41:53 uxcasxxx charon: 12[CFG] received stroke: add connection 'fqdn_vr'<br>May 9 00:41:53 uxcasxxx charon: 12[CFG] added configuration 'fqdn_vr'<br>
May 9 00:42:10 uxcasxxx charon: 15[NET] received packet: from 172.31.114.211[500] to 172.31.114.227[500]<br>May 9 00:42:10 uxcasxxx charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
May 9 00:42:10 uxcasxxx charon: 15[IKE] 172.31.114.211 is initiating an IKE_SA<br>May 9 00:42:10 uxcasxxx charon: 15[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"<br>May 9 00:42:10 uxcasxxx charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br>
May 9 00:42:10 uxcasxxx charon: 15[NET] sending packet: from 172.31.114.227[500] to 172.31.114.211[500]<br>May 9 00:42:10 uxcasxxx charon: 07[NET] received packet: from 172.31.114.211[500] to 172.31.114.227[500]<br>May 9 00:42:10 uxcasxxx charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr ]<br>
May 9 00:42:10 uxcasxxx charon: 07[CFG] looking for peer configs matching 172.31.114.227[%any]...172.31.114.211[<a href="mailto:divya@cas.com" target="_blank">divya@cas.com</a>]<br>May 9 00:42:10 uxcasxxx charon: 07[CFG] selected peer config 'fqdn_vr'<br>
May 9 00:42:10 uxcasxxx charon: 07[IKE] authentication of '<a href="mailto:divya@cas.com" target="_blank">divya@cas.com</a>' with pre-shared key successful<br>May 9 00:42:10 uxcasxxx charon: 07[IKE] authentication of '172.31.114.227' (myself) with pre-shared key<br>
May 9 00:42:10 uxcasxxx charon: 07[IKE] IKE_SA fqdn_vr[1] established between 172.31.114.227[172.31.114.227]...172.31.114.211[<a href="mailto:divya@cas.com" target="_blank">divya@cas.com</a>]<br>May 9 00:42:10 uxcasxxx charon: 07[IKE] CHILD_SA fqdn_vr{1} established with SPIs c307376c_i 7ac0291f_o and TS <a href="http://172.31.114.227/32" target="_blank">172.31.114.227/32</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
May 9 00:42:10 uxcasxxx charon: 07[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]<br>May 9 00:42:10 uxcasxxx charon: 07[NET] sending packet: from 172.31.114.227[500] to 172.31.114.211[500]<br>May 9 00:42:42 uxcasxxx charon: 08[NET] received packet: from 172.31.114.211[500] to 172.31.114.227[500]<br>
May 9 00:42:42 uxcasxxx charon: 08[ENC] parsed INFORMATIONAL request 1 [ D ]<br>May 9 00:42:42 uxcasxxx charon: 08[IKE] received retransmit of request with ID 1, retransmitting response<br>May 9 00:42:42 uxcasxxx charon: 08[NET] sending packet: from 172.31.114.227[500] to 172.31.114.211[500]<br>
May 9 00:42:42 uxcasxxx charon: 10[NET] received packet: from 172.31.114.211[500] to 172.31.114.227[500]<br>May 9 00:42:42 uxcasxxx charon: 10[ENC] parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ]<br>May 9 00:42:42 uxcasxxx charon: 10[IKE] received message ID 1, expected 0. Ignored<br>
<b><br>/var/log/secure<br>__________</b><br>May 9 00:41:53 uxcasxxx pluto[4608]: certificate is invalid (valid from Mar 28 19:21:50 2012 to Apr 27 19:21:50 2012)<br>May 9 00:41:53 uxcasxxx pluto[4608]: added connection description "cisco-vpn"<br>
May 9 00:41:53 uxcasxxx pluto[4608]: | <a href="http://0.0.0.0/0===172.31.114.227%5BC=CH" target="_blank">0.0.0.0/0===172.31.114.227[C=CH</a>, O=strongSwan, CN=strongswan]...%any[C=CH, O=strongSwan, CN=*]===%addrpool<br>
May 9 00:41:53 uxcasxxx pluto[4608]: | ike_life: 900s; ipsec_life: 120s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy: ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER<br>
May 9 00:41:53 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in 3600 seconds<br>May 9 00:41:53 uxcasxxx pluto[4608]: |<br>May 9 00:41:53 uxcasxxx pluto[4608]: | *received whack message<br>May 9 00:41:53 uxcasxxx pluto[4608]: | from whack: got --esp=aes128-sha1,3des-sha1<br>
May 9 00:41:53 uxcasxxx pluto[4608]: | esp alg added: AES_CBC_128/HMAC_SHA1, cnt=1<br>May 9 00:41:53 uxcasxxx pluto[4608]: | esp alg added: 3DES_CBC_0/HMAC_SHA1, cnt=2<br>May 9 00:41:53 uxcasxxx pluto[4608]: | esp proposal: AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1,<br>
May 9 00:41:53 uxcasxxx pluto[4608]: | from whack: got --ike=aes128-sha1-modp2048,3des-sha1-modp1536<br>May 9 00:41:53 uxcasxxx pluto[4608]: | ikg alg added: AES_CBC_128/HMAC_SHA1/MODP_2048, cnt=1<br>May 9 00:41:53 uxcasxxx pluto[4608]: | ikg alg added: 3DES_CBC_0/HMAC_SHA1/MODP_1536, cnt=2<br>
May 9 00:41:53 uxcasxxx pluto[4608]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,<br>May 9 00:41:53 uxcasxxx pluto[4608]: added connection description "fqdn_vr"<br>May 9 00:41:53 uxcasxxx pluto[4608]: | 172.31.114.227[172.31.114.227]...%any[<a href="mailto:divya@cas.com" target="_blank">divya@cas.com</a>]===<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
May 9 00:41:53 uxcasxxx pluto[4608]: | ike_life: 900s; ipsec_life: 120s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy: PSK+ENCRYPT+TUNNEL+DONTREKEY<br>May 9 00:42:10 uxcasxxx charon: 15[IKE] 172.31.114.211 is initiating an IKE_SA<br>
May 9 00:42:10 uxcasxxx pluto[4608]: | ignoring IKEv2 packet<br>May 9 00:42:10 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in 3583 seconds<br>May 9 00:42:10 uxcasxxx pluto[4608]: | ignoring IKEv2 packet<br>
May 9 00:42:10 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in 3583 seconds<br>May 9 00:42:10 uxcasxxx charon: 07[IKE] IKE_SA fqdn_vr[1] established between 172.31.114.227[172.31.114.227]...172.31.114.211[<a href="mailto:divya@cas.com" target="_blank">divya@cas.com</a>]<br>
May 9 00:42:10 uxcasxxx charon: 07[IKE] CHILD_SA fqdn_vr{1} established with SPIs c307376c_i 7ac0291f_o and TS <a href="http://172.31.114.227/32" target="_blank">172.31.114.227/32</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
May 9 00:42:42 uxcasxxx pluto[4608]: |<br>
May 9 00:42:42 uxcasxxx pluto[4608]: | *received 76 bytes from <a href="http://172.31.114.211:500" target="_blank">172.31.114.211:500</a> on eth0<br>May 9 00:42:42 uxcasxxx pluto[4608]: | 4f 8e 1c 6f 03 97 b8 91 29 53 9d 90 9e 9e 93 2c<br>
May 9 00:42:42 uxcasxxx pluto[4608]: | 2e 20 25 08 00 00 00 01 00 00 00 4c 2a 00 00 30<br>May 9 00:42:42 uxcasxxx pluto[4608]: | 53 58 ed 96 c4 69 2b db 27 43 a8 2f 19 61 e7 a0<br>May 9 00:42:42 uxcasxxx pluto[4608]: | 83 e8 2e 8f e4 24 05 3b ef bb 28 f7 95 a1 8b 13<br>
May 9 00:42:42 uxcasxxx pluto[4608]: | e9 7f 85 d4 c7 52 38 5c 17 bc 18 f9<br>May 9 00:42:42 uxcasxxx pluto[4608]: | ignoring IKEv2 packet<br>May 9 00:42:42 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in 3551 seconds<br>
May 9 00:42:42 uxcasxxx pluto[4608]: |<br>May 9 00:42:42 uxcasxxx pluto[4608]: | *received 76 bytes from <a href="http://172.31.114.211:500" target="_blank">172.31.114.211:500</a> on eth0<br>May 9 00:42:42 uxcasxxx pluto[4608]: | 4f 8e 1c 6f 03 97 b8 91 29 53 9d 90 9e 9e 93 2c<br>
May 9 00:42:42 uxcasxxx pluto[4608]: | 2e 20 23 28 00 00 00 01 00 00 00 4c 29 00 00 30<br>May 9 00:42:42 uxcasxxx pluto[4608]: | 83 e8 2e 8f e4 24 05 3b ef bb 28 f7 95 a1 8b 13<br>May 9 00:42:42 uxcasxxx pluto[4608]: | 55 33 20 fe 72 3d 17 cb d7 85 66 c3 0c fd 61 5f<br>
May 9 00:42:42 uxcasxxx pluto[4608]: | 3d 2c b0 cb 0a 53 71 1c 8a d1 e7 e3<br>May 9 00:42:42 uxcasxxx pluto[4608]: | ignoring IKEv2 packet<br>May 9 00:42:42 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in 3551 seconds<span><font color="#888888"><br>
<br><br>-- <br>Regards,<br>Anonymous cross.<br>
</font></span></blockquote></div><br><br clear="all"><br></div></div><span class="HOEnZb"><font color="#888888">-- <br>Regards,<br>Anonymous cross.<br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br>Regards,<br>Anonymous cross.<br>