<div dir="ltr">Hi Tobias,<div><br></div><div>I have tried the same steps on centos 6.2, There aren't <span style="font-family:arial,sans-serif;font-size:14px"><font color="#e06666"><b>unable to copy replay state from old SAD entry </b></font></span>logs, and ping to right subnets pass after the pc interface is updated.</div>
<div>Below is the pc information for centos 6.2</div><div><br></div><div><div style="font-family:arial,sans-serif;font-size:14px"><b>lsb_release -a</b> </div><div style><div style><font face="arial, sans-serif"><span style="font-size:14px"><i>LSB Version: :core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch</i></span></font></div>
<div style><font face="arial, sans-serif"><span style="font-size:14px"><i>Distributor ID: CentOS</i></span></font></div><div style><font face="arial, sans-serif"><span style="font-size:14px"><i>Description: CentOS release 6.2 (Final) </i></span></font></div>
<div style><font face="arial, sans-serif"><span style="font-size:14px"><i>Release: 6.2</i></span></font></div><div style><font face="arial, sans-serif"><span style="font-size:14px"><i>Codename: Final</i></span></font></div>
<div style="font-family:arial,sans-serif;font-size:14px"><br></div></div><div style="font-family:arial,sans-serif;font-size:14px"><br></div><div style="font-family:arial,sans-serif;font-size:14px"><b>cat /proc/version</b></div>
<div style="font-family:arial,sans-serif;font-size:14px"><div>Linux version 2.6.32-220.el6.i686 (<a href="mailto:mockbuild@c6b18n3.bsys.dev.centos.org">mockbuild@c6b18n3.bsys.dev.centos.org</a>) (gcc version 4.4.6 20110731 (Red Hat 4.4.6-3) (GCC) ) #1 SMP Tue Dec 6 16:15:40 GMT 2011</div>
</div><div style="font-family:arial,sans-serif;font-size:14px"><i><br></i></div><div style><font face="arial, sans-serif"><span style="font-size:14px">The strongswan version i</span></font><i style="font-family:arial,sans-serif;font-size:14px">s</i><font face="arial, sans-serif"><span style="font-size:14px"><i>Linux strongSwan U5.0.2/K2.6.32-220.el6.i686</i></span></font></div>
</div><div style><font face="arial, sans-serif"><span style="font-size:14px"><i><br></i></span></font></div><div style><font face="arial, sans-serif"><span style="font-size:14px"><i>Best Regards</i></span></font></div><div style>
<font face="arial, sans-serif"><span style="font-size:14px"><i>Amy</i></span></font></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-08-22 11:49 GMT+08:00 <span dir="ltr"><<a href="mailto:amysue.z@gmail.com" target="_blank">amysue.z@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Tobias,<div>Thanks for your reply<br><div><br></div><div>My pc is Centos 5.9</div><div><b>lsb_release -a</b> </div>
<div><div><i>LSB Version: :core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch</i></div>
<div><i>Distributor ID: CentOS</i></div><div><i>Description: CentOS release 5.9 (Final)</i></div><div><i>Release: 5.9</i></div><div><i>Codename: Final</i></div></div><div><br></div><div><b>cat /proc/version</b></div>
<div><i>Linux version 2.6.18-348.1.1.el5 (<a href="mailto:mockbuild@builder17.centos.org" target="_blank">mockbuild@builder17.centos.org</a>) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-54)) #1 SMP Tue Jan 22 16:24:03 EST 2013</i><br>
</div>
<div><i><br></i></div><div>The strongswan version i<i>s Linux strongSwan U5.1.0/K2.6.18-348.1.1.el5</i></div><div><i><br></i></div><div>I don't know how to add <span style="font-family:arial,sans-serif;font-size:14px">DBG statements to </span><span style="font-family:arial,sans-serif;font-size:14px">get_replay_state() for I don't quite know the C language, could you give me some DBG statements?</span></div>
<div><span style="font-family:arial,sans-serif;font-size:14px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:14px">Regards</span></div><div><span style="font-family:arial,sans-serif;font-size:14px">Amy</span></div>
<div><i><br></i></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-08-22 0:30 GMT+08:00 Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>></span>:<div>
<div class="h5"><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Amy,<br>
<div><br>
> Is this error cause ping fail?<br>
</div><div>> error uninstalling route installed with policy<br>
> <a href="http://192.168.168.0/24" target="_blank">192.168.168.0/24</a> === <a href="http://172.16.1.20/32" target="_blank">172.16.1.20/32</a> fwd<br>
<br>
</div>That's normal. Because the interface that was referenced in this route<br>
(eth1) disappeared, the route was already removed by the kernel when<br>
charon eventually tries to uninstall it, so you get this error/warning.<br>
<br>
Your main problem is this:<br>
<div><br>
> Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry<br>
> with SPI c84ed7a1<br>
> Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry<br>
> with SPI 0dbbeb51<br>
<br>
</div>For some reason retrieving the current ESP sequence numbers for these<br>
SAs failed on your system.<br>
<br>
Because we can't update the IPsec SAs installed in the kernel directly,<br>
but have to delete and reinstall them instead, we need to copy the old<br>
replay state to the new SA. If that fails the newly installed SAs can't<br>
be used as the sequence numbers aren't in-sync between the two peers.<br>
I'm not sure when this could actually fail. The XFRM_MSG_GETAE query<br>
seems to have been successful (you'd have gotten an additional error<br>
otherwise), and I don't see how the kernel could not return the<br>
requested state without reporting an error.<br>
<br>
You could try to add some DBG statements in get_replay_state() in<br>
kernel_netlink_ipsec.c to see what's going on (e.g. what message types<br>
the kernel returns or what attribute types if out_aevent is assigned).<br>
<br>
What kernel version do you use? What strongSwan version? Any custom<br>
patches applied to either one?<br>
<br>
In any case we should probably check early on if get_replay_state()<br>
actually returned anything and fail if it did not so that the IPsec SAs<br>
could be rekeyed (we already use this fallback on other platforms, e.g.<br>
FreeBSD, where updating SAs is not possible at all).<br>
<br>
Regards,<br>
Tobias<br>
<br>
</blockquote></div></div></div><br></div>
</blockquote></div><br></div>