<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Consolas" size="2"><span style="font-size:10.5pt;">
<div>Hi,</div>
<div> </div>
<div>Can anyone please comment on this. I tested this with the new strongswan version 5.2 and noticed the same behavior.</div>
<div> </div>
<div>Regards</div>
<div>Suhas</div>
<div> </div>
<div>-----Original Message-----<br>
From: users-bounces@lists.strongswan.org [<a href="mailto:users-bounces@lists.strongswan.org">mailto:users-bounces@lists.strongswan.org</a>] On Behalf Of ext Krishna G, Suhas (NSN - IN/Bangalore)<br>
Sent: Monday, February 09, 2015 2:24 PM<br>
To: ext Noel Kuntze; users@lists.strongswan.org<br>
Subject: Re: [strongSwan] FW: Traffic dropped when IKE initiation happen between two nodes simultaneously.</div>
<div> </div>
<div>Hi Noel,</div>
<div> </div>
<div>One more observation with respect to the below query. With "uniqueids=yes", as you mentioned only one pair of SA is formed but I found a limitation w.r.t this. I configured IPSec(same setup as I had mentioned in previous mail) between two nodes(peer1-------peer2)
with the uniqueids=yes option in the ipsec.conf file on both ends. Apparently, no SAs are duplicated when I do "ipsec up" multiple times from one end. Old SAs are being replaced by new ones. But when I do "ipsec up" for the <b><u>first time</u></b> from <b><u>the
other end</u></b>, though SAs are already established, another set of SA is initiated. So two set of SAs get established. But no further SAs are duplicated even after "ipsec up" multiple times from either ends. So, there can exist max two set of SAs between
the same end points with the "uniqueids=yes" option. <b><u>First set of SA initiated from peer1 and the second set initiated by peer2</u></b>. So, I think there is no actual check for SA being established but there is only a check for the number of times "ipsec
up" is done from one end which is a drawback. Is this the same behavior in the new version of strongswan?</div>
<div> </div>
<div> </div>
<div>Regards</div>
<div>Suhas</div>
<div> </div>
<div>-----Original Message-----</div>
<div>From: <a href="mailto:users-bounces@lists.strongswan.org">users-bounces@lists.strongswan.org</a> [<a href="mailto:users-bounces@lists.strongswan.org">mailto:users-bounces@lists.strongswan.org</a>] On Behalf Of ext Krishna G, Suhas (NSN - IN/Bangalore)</div>
<div>Sent: Friday, February 06, 2015 12:12 PM</div>
<div>To: ext Noel Kuntze; <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a></div>
<div>Subject: Re: [strongSwan] FW: Traffic dropped when IKE initiation happen between two nodes simultaneously.</div>
<div> </div>
<div>Hi Noel,</div>
<div> </div>
<div>I had forgot to ask one thing. Does any configuration in strongswan.conf file affect this. How exactly does this uniqueid stuff work?</div>
<div>My strongsan.conf file for reference just in case:</div>
<div> </div>
<div># strongswan.conf</div>
<div> </div>
<div>charon {</div>
<div>reuse_ikesa=no</div>
<div>install_routes=no</div>
<div>block_threshold=50</div>
<div>cookie_threshold=100</div>
<div>}</div>
<div> </div>
<div>-----Original Message-----</div>
<div>From: ext Noel Kuntze [<a href="mailto:noel@familie-kuntze.de">mailto:noel@familie-kuntze.de</a>] </div>
<div>Sent: Thursday, February 05, 2015 12:07 AM</div>
<div>To: Krishna G, Suhas (NSN - IN/Bangalore); <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a></div>
<div>Subject: Re: [strongSwan] FW: Traffic dropped when IKE initiation happen between two nodes simultaneously.</div>
<div> </div>
<div> </div>
<div>-----BEGIN PGP SIGNED MESSAGE-----</div>
<div>Hash: SHA256</div>
<div> </div>
<div>Hello Krishna,</div>
<div> </div>
<div>Yes, that is relevant. I have a net-to-net setup here with the newest strongSwan</div>
<div>version and PSK authentication, that does not show this bad behaviour.</div>
<div>You might want to try a newer version.</div>
<div> </div>
<div>Mit freundlichen Grüßen/Regards,</div>
<div>Noel Kuntze</div>
<div> </div>
<div>GPG Key ID: 0x63EC6658</div>
<div>Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658</div>
<div> </div>
<div>Am 04.02.2015 um 11:07 schrieb Krishna G, Suhas (NSN - IN/Bangalore):</div>
<div>> Hi Noel,</div>
<div>></div>
<div>> Thanks for the quick response. I tested with the combination of changes you suggested but am still facing the same issue. I found a thread relating to this: <a href="http://permalink.gmane.org/gmane.network.vpn.strongswan.devel/671">http://permalink.gmane.org/gmane.network.vpn.strongswan.devel/671</a></div>
<div>> Is this of any relevance? The charon does not check for duplicate SAs and delete them? The duplicate SAs persist even after rekeying.</div>
<div>></div>
<div>> Regards</div>
<div>> Suhas Krishna</div>
<div>></div>
<div>> -----Original Message-----</div>
<div>> From: <a href="mailto:users-bounces@lists.strongswan.org">users-bounces@lists.strongswan.org</a> [<a href="mailto:users-bounces@lists.strongswan.org">mailto:users-bounces@lists.strongswan.org</a>] On Behalf Of ext Noel Kuntze</div>
<div>> Sent: Wednesday, February 04, 2015 1:23 AM</div>
<div>> To: <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a></div>
<div>> Subject: Re: [strongSwan] FW: Traffic dropped when IKE initiation happen between two nodes simultaneously.</div>
<div>></div>
<div>></div>
<div>> Hello Kirshna,</div>
<div>></div>
<div>> You set "uniqueids=no". That causes that behaviour.</div>
<div>> Use "uniqueids=yes", "uniqueids=keep" or "uniqueids=replace".</div>
<div>></div>
<div>> Mit freundlichen Grüßen/Regards,</div>
<div>> Noel Kuntze</div>
<div>></div>
<div>> GPG Key ID: 0x63EC6658</div>
<div>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658</div>
<div>></div>
<div>> Am 03.02.2015 um 11:05 schrieb Krishna G, Suhas (NSN - IN/Bangalore):</div>
<div>> > Hi,</div>
<div>></div>
<div>> > I am testing a simple scenario using ikev2. The setup is as follows:</div>
<div>></div>
<div>> > (Traffic generator2)30.0.0.1-------(30.0.0.2)node2(20.0.0.1)----------(20.0.0.2)node1(40.0.0.1)------------40.0.0.2(Traffic generator1)</div>
<div>> > eth2 eth3 eth2</div>
<div>> > (vlan201)</div>
<div>></div>
<div>> > Node1:</div>
<div>> > # ipsec.conf</div>
<div>></div>
<div>> > config setup</div>
<div>> > charonstart=yes</div>
<div>> > plutostart=no</div>
<div>> > uniqueids=no</div>
<div>> > charondebug="knl 0,enc 0,net 0"</div>
<div>> > conn %default</div>
<div>> > auto=route</div>
<div>> > keyexchange=ikev2</div>
<div>> > reauth=no</div>
<div>> > conn r2~v2</div>
<div>> > rekeymargin=150</div>
<div>> > rekeyfuzz=100%</div>
<div>> > left=20.0.0.2</div>
<div>> > right=20.0.0.1</div>
<div>> > leftsubnet=40.0.0.2/32</div>
<div>> > rightsubnet=30.0.0.1/32</div>
<div>> > authby=secret</div>
<div>> > leftid=20.0.0.2</div>
<div>> > rightid=%any</div>
<div>> > ike=aes128-sha1-modp1024!</div>
<div>> > esp=aes128-sha1!</div>
<div>> > type=tunnel</div>
<div>> > ikelifetime=2000s</div>
<div>> > keylife=1500s</div>
<div>> > mobike=no</div>
<div>> > auto=route</div>
<div>> > reauth=no</div>
<div>></div>
<div>> > addresses configured:</div>
<div>> > 1. vlan201@eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP</div>
<div>> > link/ether 00:30:64:26:2f:5f brd ff:ff:ff:ff:ff:ff</div>
<div>> > inet 20.0.0.2/24 brd 20.0.0.255 scope global vlan201</div>
<div>> > inet6 fe80::30:6400:a26:2f5f/64 scope link</div>
<div>> > valid_lft forever preferred_lft forever</div>
<div>></div>
<div>> > 2. eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000</div>
<div>> > link/ether 00:30:64:26:2f:5e brd ff:ff:ff:ff:ff:ff</div>
<div>> > inet 40.0.0.1/24 brd 40.0.0.255 scope global eth2</div>
<div>> > inet6 fe80::30:6400:426:2f5e/64 scope link</div>
<div>> > valid_lft forever preferred_lft forever</div>
<div>></div>
<div>></div>
<div>> > routes:</div>
<div>> > 40.0.0.0/24 dev eth2 proto kernel scope link src 40.0.0.1</div>
<div>> > 20.0.0.0/24 dev vlan201 proto kernel scope link src 20.0.0.2</div>
<div>> > 30.0.0.0/24 via 20.0.0.1 dev vlan201 proto gated</div>
<div>></div>
<div>></div>
<div>></div>
<div>> > Node2 :</div>
<div>> > # ipsec.conf</div>
<div>></div>
<div>> > config setup</div>
<div>> > charonstart=yes</div>
<div>> > plutostart=no</div>
<div>> > uniqueids=no</div>
<div>> > charondebug="knl 0,enc 0,net 0"</div>
<div>> > conn %default</div>
<div>> > auto=route</div>
<div>> > keyexchange=ikev2</div>
<div>> > reauth=no</div>
<div>> > conn r2~v2</div>
<div>> > rekeymargin=150</div>
<div>> > rekeyfuzz=100%</div>
<div>> > left=20.0.0.1</div>
<div>> > right=20.0.0.2</div>
<div>> > leftsubnet=30.0.0.1/32</div>
<div>> > rightsubnet=40.0.0.2/32</div>
<div>> > authby=secret</div>
<div>> > leftid=20.0.0.1</div>
<div>> > rightid=%any</div>
<div>> > ike=aes128-sha1-modp1024!</div>
<div>> > esp=aes128-sha1!</div>
<div>> > type=tunnel</div>
<div>> > ikelifetime=2000s</div>
<div>> > keylife=1500s</div>
<div>> > dpdaction=clear</div>
<div>> > dpddelay=20</div>
<div>> > mobike=no</div>
<div>> > auto=route</div>
<div>> > reauth=no</div>
<div>></div>
<div>></div>
<div>> > addresses configured:</div>
<div>> > 1. vlan201@eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP</div>
<div>> > link/ether 00:30:64:26:32:02 brd ff:ff:ff:ff:ff:ff</div>
<div>> > inet 20.0.0.1/24 brd 20.0.0.255 scope global vlan201</div>
<div>> > inet6 fe80::30:6400:a26:3202/64 scope link</div>
<div>> > valid_lft forever preferred_lft forever</div>
<div>></div>
<div>></div>
<div>> > 2. eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000</div>
<div>> > link/ether 00:30:64:26:32:01 brd ff:ff:ff:ff:ff:ff</div>
<div>> > inet 30.0.0.2/24 brd 30.0.0.255 scope global eth2</div>
<div>> > inet6 fe80::30:6400:426:3201/64 scope link</div>
<div>> > valid_lft forever preferred_lft forever</div>
<div>></div>
<div>></div>
<div>> > routes:</div>
<div>> > 40.0.0.0/24 via 20.0.0.2 dev vlan201 proto gated</div>
<div>> > 20.0.0.0/24 dev vlan201 proto kernel scope link src 20.0.0.1</div>
<div>> > 30.0.0.0/24 dev eth2 proto kernel scope link src 30.0.0.2</div>
<div>></div>
<div>></div>
<div>> > In my setup, I am pumping traffic from both ends simultaneously. I see that IKE initiations happen simultaneously from both ends and two pair of SAs are formed instead of one as shown below:</div>
<div>></div>
<div>> > 20.0.0.2 20.0.0.1</div>
<div>> > esp mode=tunnel spi=3303990082(0xc4eee342) reqid=1(0x00000001)</div>
<div>> > E: aes-cbc 2d2d6603 aa9bc830 1c3ee36a d964b1f1</div>
<div>> > A: hmac-sha1 3889f511 69cd3c4e 6f416739 e5c685cc 3f316067</div>
<div>> > seq=0x00000000 replay=64 flags=0x00000000 state=mature</div>
<div>> > created: Jan 23 20:22:13 2015 current: Jan 23 20:22:37 2015</div>
<div>> > diff: 24(s) hard: 300(s) soft: 268(s)</div>
<div>> > last: Jan 23 20:22:13 2015 hard: 0(s) soft: 0(s)</div>
<div>> > current: 285648670(bytes) hard: 0(bytes) soft: 0(bytes)</div>
<div>> > allocated: 283945 hard: 0 soft: 0</div>
<div>> > sadb_seq=1 pid=24064 refcnt=0</div>
<div>> > 20.0.0.1 20.0.0.2</div>
<div>> > esp mode=tunnel spi=3422609051(0xcc00de9b) reqid=1(0x00000001)</div>
<div>> > E: aes-cbc 37be21d3 79d00867 968bcc4e 21c3a5c8</div>
<div>> > A: hmac-sha1 f46a45e7 c3b90b4e 20e3e68e 782a8b48 5d2d7758</div>
<div>> > seq=0x00000000 replay=64 flags=0x00000000 state=mature</div>
<div>> > created: Jan 23 20:22:13 2015 current: Jan 23 20:22:37 2015</div>
<div>> > diff: 24(s) hard: 300(s) soft: 265(s)</div>
<div>> > last: hard: 0(s) soft: 0(s)</div>
<div>> > current: 0(bytes) hard: 0(bytes) soft: 0(bytes)</div>
<div>> > allocated: 0 hard: 0 soft: 0</div>
<div>> > sadb_seq=2 pid=24064 refcnt=0</div>
<div>> > 20.0.0.2 20.0.0.1</div>
<div>> > esp mode=tunnel spi=3272081281(0xc307ff81) reqid=2(0x00000002)</div>
<div>> > E: aes-cbc 6c9cbd30 0aa302bb 9741ca7f 231ce550</div>
<div>> > A: hmac-sha1 9c21160b a03990f5 a07d2c29 a18d8b7f 02c020a7</div>
<div>> > seq=0x00000000 replay=64 flags=0x00000000 state=mature</div>
<div>> > created: Jan 23 20:22:13 2015 current: Jan 23 20:22:37 2015</div>
<div>> > diff: 24(s) hard: 300(s) soft: 264(s)</div>
<div>> > last: Jan 23 20:22:13 2015 hard: 0(s) soft: 0(s)</div>
<div>> > current: 20120(bytes) hard: 0(bytes) soft: 0(bytes)</div>
<div>> > allocated: 20 hard: 0 soft: 0</div>
<div>> > sadb_seq=3 pid=24064 refcnt=0</div>
<div>> > 20.0.0.1 20.0.0.2</div>
<div>> > esp mode=tunnel spi=3466205953(0xce9a1b01) reqid=2(0x00000002)</div>
<div>> > E: aes-cbc 465a0a5f 454ffbcc d4a63bf7 f3f102e5</div>
<div>> > A: hmac-sha1 36cefc1d 6c9729fe 4a142a0d 66033097 4b6e9d3a</div>
<div>> > seq=0x00000000 replay=64 flags=0x00000000 state=mature</div>
<div>> > created: Jan 23 20:22:13 2015 current: Jan 23 20:22:37 2015</div>
<div>> > diff: 24(s) hard: 300(s) soft: 261(s)</div>
<div>> > last: Jan 23 20:22:13 2015 hard: 0(s) soft: 0(s)</div>
<div>> > current: 285656718(bytes) hard: 0(bytes) soft: 0(bytes)</div>
<div>> > allocated: 283953 hard: 0 soft: 0</div>
<div>> > sadb_seq=0 pid=24064 refcnt=0</div>
<div>></div>
<div>></div>
<div>> > Due to this there is a 100% traffic drop seen at both ends. I referred to a similar query posted - _https://lists.strongswan.org/pipermail/users/2012-October/003765.html_ but no conclusion was drawn out of that.</div>
<div>></div>
<div>> > According to my investigation, the two nodes are using different set of SAs for communication resulting in the problem. tcpdump of the packets flowing is as below:</div>
<div>></div>
<div>> > 20:23:48.400585 IP 20.0.0.2 > 20.0.0.1: ESP(spi=0xc4eee342,seq=0x11556a), length 1044</div>
<div>> > 20:23:48.400629 IP 20.0.0.1 > 20.0.0.2: ESP(spi=0xce9a1b01,seq=0x115573), length 1044</div>
<div>> > 20:23:48.400669 IP 20.0.0.2 > 20.0.0.1: ESP(spi=0xc4eee342,seq=0x11556b), length 1044</div>
<div>> > 20:23:48.400713 IP 20.0.0.1 > 20.0.0.2: ESP(spi=0xce9a1b01,seq=0x115574), length 1044</div>
<div>> > 20:23:48.400752 IP 20.0.0.2 > 20.0.0.1: ESP(spi=0xc4eee342,seq=0x11556c), length 1044</div>
<div>> > 20:23:48.400796 IP 20.0.0.1 > 20.0.0.2: ESP(spi=0xce9a1b01,seq=0x115575), length 1044</div>
<div>> > 20:23:48.400836 IP 20.0.0.2 > 20.0.0.1: ESP(spi=0xc4eee342,seq=0x11556d), length 1044</div>
<div>> > 20:23:48.400881 IP 20.0.0.1 > 20.0.0.2: ESP(spi=0xce9a1b01,seq=0x115576), length 1044</div>
<div>> > 20:23:48.400919 IP 20.0.0.2 > 20.0.0.1: ESP(spi=0xc4eee342,seq=0x11556e), length 1044</div>
<div>> > 20:23:48.400963 IP 20.0.0.1 > 20.0.0.2: ESP(spi=0xce9a1b01,seq=0x115577), length 1044</div>
<div>> > 20:23:48.401003 IP 20.0.0.2 > 20.0.0.1: ESP(spi=0xc4eee342,seq=0x11556f), length 1044</div>
<div>> > 20:23:48.401047 IP 20.0.0.1 > 20.0.0.2: ESP(spi=0xce9a1b01,seq=0x115578), length 1044</div>
<div>></div>
<div>></div>
<div>> > Is there any fix to this issue. The scenario of simultaneous ike initiations happening for the first time when tunnel is being established is something which is not addressed I feel.</div>
<div>></div>
<div>></div>
<div>> > Regards</div>
<div>> > Suhas Krishna</div>
<div>></div>
<div>></div>
<div>></div>
<div>> > _______________________________________________</div>
<div>> > Users mailing list</div>
<div>> > <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a></div>
<div>> > <a href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></div>
<div>></div>
<div>></div>
<div>> _______________________________________________</div>
<div>> Users mailing list</div>
<div>> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a></div>
<div>> <a href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></div>
<div> </div>
<div>-----BEGIN PGP SIGNATURE-----</div>
<div>Version: GnuPG v2</div>
<div> </div>
<div>iQIcBAEBCAAGBQJU0mbXAAoJEDg5KY9j7GZY+eEP/0/sp8332hmIqdFDAQIzW2fh</div>
<div>MD3emEBa7DXeaPNcXUEjA2wNnv0qIP7ctiBn2YB5+pvMGYMn8KTwbrxN9vQN4sD9</div>
<div>35hijguCA4YVxEvu4+xkIuNbLWylcgAglCmAIpnt6HrXxDA4+OVKbBgcF05lqcnH</div>
<div>sWdnuDhmfCNjXafU2/Zxw1mpDNM2tpgab0eOnTD0LFKnRklOtq8tGQxdZl+Wtkwo</div>
<div>ng0bVTZx1qM9zVektfmIYzTOnC/ScfqaRBYR3LwHdIpUfxUR6v0yFxSO0ypCVR+M</div>
<div>wUK3xCOzDPC3/NlqQ6qeoOkCLzlAmGj3KDOsFmsjIpAc5JYKrcOqoI6LSWb2WZds</div>
<div>q+DVp1O4OPUjQKza8rZzOiY4uPA54jiqRumum0iq4NFGv40Hua84bYJ/EPf5MqOP</div>
<div>fZw8bCZj+iPxZUQuUdXCm6+DUHWzATgQQ+QU1Ysw9hziNJc5Eo+6md2Kp2p/3pW2</div>
<div>sZAOYtTtK7ShD9pG7DUd51nYA5aqhyuy3XHE1gxYKSXtgeX7i2qpzVMjqV0yFRzc</div>
<div>YyKh8tnlVE1tX13POYF6Wd3plbqThyZx/Yc35aRY+gugMRJ/sr/qcu2U/oVwVhy5</div>
<div>slK3uG5ZLAxbj8h4cmN45WP9To282wEaVmRvdNFf14R4GarJdIOBZRLd1ivg5gfn</div>
<div>vm/LimVxeJNk64H1XuNL</div>
<div>=BsFr</div>
<div>-----END PGP SIGNATURE-----</div>
<div> </div>
<div>_______________________________________________</div>
<div>Users mailing list</div>
<div><a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a></div>
<div><a href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></div>
<div>_______________________________________________</div>
<div>Users mailing list</div>
<div><a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a></div>
<div><a href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></div>
<div> </div>
</span></font>
</body>
</html>