<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 10.00.9200.17148"></HEAD>
<BODY style="FONT: 10pt Segoe UI; MARGIN: 4px 4px 1px">
<DIV>Hello,</DIV>
<DIV> </DIV>
<DIV>I'm getting the above error when rekeying. I think it might be related to issue #431? I've tried the workaround of setting reauth=no but this did not resolve the issue. I have only started running into this since we started using more than one subnet in the left side of the connection.</DIV>
<DIV> </DIV>
<DIV>If no traffic goes between <FONT face="Courier New">10.130.0.0/16 === 192.168.0.0/16 and that tunnel is never brought up the other tunnel will remain up and rekey without any problem. However, as soon as traffic goes between 10.130.0.0/16 === 192.168.0.0/16 the next rekey fails and both tunnels are brought down. If I wait a few seconds and then send traffic from the right the tunnel(s) will come back up but traffic from the left never re-establishes either tunnel. </FONT>Here's the log</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New">Mar 4 16:57:18 ip-10-180-0-12 charon: 14[NET] sending packet: from 10.180.0.12[4500] to 2.2.2.2[4500] (76 bytes)<BR>Mar 4 16:57:37 ip-10-180-0-12 charon: 12[IKE] sending keep alive to 2.2.2.2[4500]<BR>Mar 4 16:57:38 ip-10-180-0-12 charon: 09[NET] received packet: from 2.2.2.2[4500] to 10.180.0.12[4500] (76 bytes)<BR>Mar 4 16:57:38 ip-10-180-0-12 charon: 09[ENC] parsed INFORMATIONAL request 172 [ ]<BR>Mar 4 16:57:38 ip-10-180-0-12 charon: 09[ENC] generating INFORMATIONAL response 172 [ ]<BR>Mar 4 16:57:38 ip-10-180-0-12 charon: 09[NET] sending packet: from 10.180.0.12[4500] to 2.2.2.2[4500] (76 bytes)<BR>Mar 4 16:57:57 ip-10-180-0-12 charon: 02[IKE] sending keep alive to 2.2.2.2[4500]<BR>Mar 4 16:57:58 ip-10-180-0-12 charon: 10[NET] received packet: from 2.2.2.2[4500] to 10.180.0.12[4500] (76 bytes)<BR>Mar 4 16:57:58 ip-10-180-0-12 charon: 10[ENC] parsed INFORMATIONAL request 173 [ ]<BR>Mar 4 16:57:58 ip-10-180-0-12 charon: 10[ENC] generating INFORMATIONAL response 173 [ ]<BR>Mar 4 16:57:58 ip-10-180-0-12 charon: 10[NET] sending packet: from 10.180.0.12[4500] to 2.2.2.2[4500] (76 bytes)<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 16[KNL] creating rekey job for ESP CHILD_SA with SPI 0a7d4641 and reqid {2}<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 16[IKE] establishing CHILD_SA Iona-VPN-FW{2}<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 16[ENC] generating CREATE_CHILD_SA request 2 [ N(REKEY_SA) SA No TSi TSr ]<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 16[NET] sending packet: from 10.180.0.12[4500] to 2.2.2.2[4500] (332 bytes)<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[NET] received packet: from 2.2.2.2[4500] to 10.180.0.12[4500] (236 bytes)<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[ENC] parsed CREATE_CHILD_SA response 2 [ SA No TSi TSr ]<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 10.176.0.0/13 === 192.168.0.0/16 out (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 in (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 fwd (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 10.176.0.0/13 === 192.168.0.0/16 out (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 in (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 fwd (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[IKE] unable to install IPsec policies (SPD) in kernel<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[KNL] deleting policy 10.176.0.0/13 === 192.168.0.0/16 out failed, not found<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[KNL] deleting policy 192.168.0.0/16 === 10.176.0.0/13 in failed, not found<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[KNL] deleting policy 192.168.0.0/16 === 10.176.0.0/13 fwd failed, not found<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[KNL] deleting policy 10.176.0.0/13 === 192.168.0.0/16 out failed, not found<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[KNL] deleting policy 192.168.0.0/16 === 10.176.0.0/13 in failed, not found<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[KNL] deleting policy 192.168.0.0/16 === 10.176.0.0/13 fwd failed, not found<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[ENC] generating INFORMATIONAL request 3 [ N(REKEY_SA) ]<BR>Mar 4 16:58:14 ip-10-180-0-12 charon: 09[NET] sending packet: from 10.180.0.12[4500] to 2.2.2.2[4500] (76 bytes)<BR>Mar 4 16:58:16 ip-10-180-0-12 charon: 08[KNL] creating rekey job for ESP CHILD_SA with SPI c01ce92f and reqid {2}<BR>Mar 4 16:58:18 ip-10-180-0-12 charon: 13[IKE] retransmit 1 of request with message ID 3<BR>Mar 4 16:58:18 ip-10-180-0-12 charon: 13[NET] sending packet: from 10.180.0.12[4500] to 2.2.2.2[4500] (76 bytes)<BR>Mar 4 16:58:18 ip-10-180-0-12 charon: 10[NET] received packet: from 2.2.2.2[4500] to 10.180.0.12[4500] (76 bytes)<BR>Mar 4 16:58:18 ip-10-180-0-12 charon: 10[ENC] parsed INFORMATIONAL request 174 [ ]<BR>Mar 4 16:58:18 ip-10-180-0-12 charon: 10[ENC] generating INFORMATIONAL response 174 [ ]</FONT></DIV>
<DIV><FONT face="Courier New"></FONT><BR> </DIV>
<DIV>Here's the ipsec.conf</DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New">config setup<BR> # strictcrlpolicy=yes<BR> # uniqueids=no</FONT></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV><FONT face="Courier New">conn Iona-VPN-FW<BR> ikelifetime=1440m<BR> keylife=60m<BR> margintime=3m<BR> keyingtries=5<BR> keyexchange=ikev2<BR> authby=secret<BR> left=10.180.0.12<BR> leftsubnet=10.176.0.0/13,10.130.0.0/16<BR> leftid=1.1.1.1<BR> leftfirewall=yes<BR> right=2.2.2.2<BR> rightsubnet=192.168.0.0/16<BR> rightid=2.2.2.2<BR> auto=start<BR> ike=aes128-md5-modp1536<BR> esp=aes128-sha1<BR> reauth=no</FONT></DIV>
<DIV><FONT face="Courier New"></FONT><BR> </DIV>
<DIV>Here's the log entry from the device on the right (Cisco ASA 9.1(3))</DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New">Mar 4 17:01:19 [10.1.1.12.2.2] Mar 04 2015 17:01:19 Iona-VPN-FW : %ASA-4-113019: Group = 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:58m:34s, Bytes xmt: 2479, Bytes rcv: 5233, Reason: Lost Service</FONT></DIV>
<DIV> </DIV>
<DIV>This is the status just prior to rekeying</DIV>
<DIV> </DIV><FONT face="Courier New">Wed Mar 4 16:58:12 GMT 2015<BR>Status of IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-504.8.1.el6.x86_64, x86_64):<BR> uptime: 55 minutes, since Mar 04 16:02:59 2015<BR> malloc: sbrk 270336, mmap 0, used 215968, free 54368<BR> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3<BR> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-pr<BR>f gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity<BR>Listening IP addresses:<BR> 10.180.0.12<BR>Connections:<BR> Iona-VPN-FW: 10.180.0.12...2.2.2.2 IKEv2<BR> Iona-VPN-FW: local: [1.1.1.1] uses pre-shared key authentication<BR> Iona-VPN-FW: remote: [2.2.2.2] uses pre-shared key authentication<BR> Iona-VPN-FW: child: 10.176.0.0/13 10.130.0.0/16 === 192.168.0.0/16 TUNNEL<BR>Security Associations (1 up, 0 connecting):<BR> Iona-VPN-FW[1]: ESTABLISHED 55 minutes ago, 10.180.0.12[1.1.1.1]...2.2.2.2[2.2.2.2]<BR> Iona-VPN-FW[1]: IKEv2 SPIs: 550d0c34bc66ce4e_i* da285a283fb7a4d1_r, rekeying in 23 hours<BR> Iona-VPN-FW[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536<BR> Iona-VPN-FW{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: ccb6a085_i ad93852a_o<BR> Iona-VPN-FW{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 360 bytes_o (9 pkts, 2965s ago), rekeying in 33 seconds<BR> Iona-VPN-FW{1}: 10.176.0.0/13 === 192.168.0.0/16<BR> Iona-VPN-FW{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: c01ce92f_i 0a7d4641_o<BR> Iona-VPN-FW{2}: AES_CBC_128/HMAC_SHA1_96, 2479 bytes_i (17 pkts, 3272s ago), 4873 bytes_o (15 pkts, 3272s ago), rekeying in 2 seconds<BR> Iona-VPN-FW{2}: 10.130.0.0/16 === 192.168.0.0/16</FONT><BR>
<DIV> </DIV>
<DIV>Shortly afterwards it's like this</DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New">Wed Mar 4 16:58:42 GMT 2015<BR>Status of IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-504.8.1.el6.x86_64, x86_64):<BR> uptime: 55 minutes, since Mar 04 16:02:58 2015<BR> malloc: sbrk 270336, mmap 0, used 216192, free 54144<BR> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4<BR> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity<BR>Listening IP addresses:<BR> 10.180.0.12<BR>Connections:<BR> Iona-VPN-FW: 10.180.0.12...2.2.2.2 IKEv2<BR> Iona-VPN-FW: local: [1.1.1.1] uses pre-shared key authentication<BR> Iona-VPN-FW: remote: [2.2.2.2] uses pre-shared key authentication<BR> Iona-VPN-FW: child: 10.176.0.0/13 10.130.0.0/16 === 192.168.0.0/16 TUNNEL<BR>Security Associations (1 up, 0 connecting):<BR> Iona-VPN-FW[1]: ESTABLISHED 55 minutes ago, 10.180.0.12[1.1.1.1]...2.2.2.2[2.2.2.2]<BR> Iona-VPN-FW[1]: IKEv2 SPIs: 550d0c34bc66ce4e_i* da285a283fb7a4d1_r, rekeying in 22 hours<BR> Iona-VPN-FW[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536<BR> Iona-VPN-FW[1]: Tasks queued: CHILD_REKEY<BR> Iona-VPN-FW[1]: Tasks active: CHILD_REKEY<BR> Iona-VPN-FW{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: ccb6a085_i ad93852a_o<BR> Iona-VPN-FW{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 360 bytes_o (9 pkts, 2996s ago), rekeying in 2 seconds<BR> Iona-VPN-FW{1}: 10.176.0.0/13 === 192.168.0.0/16<BR> Iona-VPN-FW{2}: REKEYING, TUNNEL, expires in 4 minutes<BR> Iona-VPN-FW{2}: 10.130.0.0/16 === 192.168.0.0/16</FONT></DIV>
<DIV><FONT face="Courier New"></FONT><BR> </DIV>
<DIV>This is the status immediately before the tunnel is torn down</DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New">Wed Mar 4 17:00:59 GMT 2015<BR>Status of IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-504.8.1.el6.x86_64, x86_64):<BR> uptime: 58 minutes, since Mar 04 16:02:59 2015<BR> malloc: sbrk 270336, mmap 0, used 215968, free 54368<BR> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4<BR> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-pr<BR>f gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity<BR>Listening IP addresses:<BR> 10.180.0.12<BR>Connections:<BR> Iona-VPN-FW: 10.180.0.12...2.2.2.2 IKEv2<BR> Iona-VPN-FW: local: [1.1.1.1] uses pre-shared key authentication<BR> Iona-VPN-FW: remote: [2.2.2.2] uses pre-shared key authentication<BR> Iona-VPN-FW: child: 10.176.0.0/13 10.130.0.0/16 === 192.168.0.0/16 TUNNEL<BR>Security Associations (1 up, 0 connecting):<BR> Iona-VPN-FW[1]: ESTABLISHED 58 minutes ago, 10.180.0.12[1.1.1.1]...2.2.2.2[2.2.2.2]<BR> Iona-VPN-FW[1]: IKEv2 SPIs: 550d0c34bc66ce4e_i* da285a283fb7a4d1_r, rekeying in 22 hours<BR> Iona-VPN-FW[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536<BR> Iona-VPN-FW[1]: Tasks queued: CHILD_REKEY CHILD_REKEY CHILD_REKEY<BR> Iona-VPN-FW[1]: Tasks active: CHILD_REKEY<BR> Iona-VPN-FW{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: ccb6a085_i ad93852a_o<BR> Iona-VPN-FW{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 360 bytes_o (9 pkts, 3133s ago), rekeying active<BR> Iona-VPN-FW{1}: 10.176.0.0/13 === 192.168.0.0/16<BR> Iona-VPN-FW{2}: REKEYING, TUNNEL, expires in 2 minutes<BR> Iona-VPN-FW{2}: 10.130.0.0/16 === 192.168.0.0/16</FONT></DIV>
<DIV><FONT face="Courier New"></FONT><BR> </DIV>
<DIV>And seconds later once it has been torn down</DIV>
<DIV> </DIV><FONT face="Courier New">Wed Mar 4 17:00:59 GMT 2015<BR>Status of IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-504.8.1.el6.x86_64, x86_64):<BR> uptime: 58 minutes, since Mar 04 16:02:58 2015<BR> malloc: sbrk 270336, mmap 0, used 208768, free 61568<BR> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3<BR> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity<BR>Listening IP addresses:<BR> 10.180.0.12<BR>Connections:<BR> Iona-VPN-FW: 10.180.0.12...2.2.2.2 IKEv2<BR> Iona-VPN-FW: local: [1.1.1.1] uses pre-shared key authentication<BR> Iona-VPN-FW: remote: [2.2.2.2] uses pre-shared key authentication<BR> Iona-VPN-FW: child: 10.176.0.0/13 10.130.0.0/16 === 192.168.0.0/16 TUNNEL<BR>Security Associations (0 up, 0 connecting):<BR> none</FONT><BR>
<DIV> </DIV>
<DIV>Feedback welcome.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Tormod</DIV>
<DIV> </DIV>
<DIV> </DIV><BR>
<div>
<div>
<div>
<font face="Arial" size="2" color="#008000">Please consider the
environment before printing this email</font><font face="Arial" size="2">
</font> </div>
</div>
</div>
<div>
<font face="Arial" size="2">
</font> </div>
<span class="f133 controlstyle" id="F133"><font face="Arial" size="2">*********************************************************************
</font></span><font face="Arial" size="2"><br><span class="f133 controlstyle" id="F133"><br>This
e-mail and any attachments are confidential. If it is not for you, please
inform us and delete it immediately without disclosing, copying, or
distributing it.<br><br>If the content is not about the business of
PayWizard Group PLC or its clients, then it is neither from nor sanctioned
by PayWizard Group PLC. Use of this or any other PayWizard Group PLC
e-mail facility signifies consent to interception by PayWizard Group PLC.
The views expressed in this email or any attachments may not reflect the
views and opinions of PayWizard Group PLC.<br><br>This message has been
scanned for viruses and dangerous content by MailScanner, but PayWizard
Group PLC accepts no liability for any damage caused by the transmission
of any viruses.<br><br>PayWizard Group PLC is a public limited company
registered in Scotland (SC175703) with its registered office at Cluny
Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ.<br><br>*******************************************************************</span>*</font>
<br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</BODY></HTML>