<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I encountered an issue today with a rekey collision. When it
happened, the tunnel appeared to be up, but traffic could not
traverse the tunnel. After digging around, I found this discussion,
which seems to be the same issue, and the original poster also seems
to be using IPFire, as I am:
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/pipermail/users/2015-January/007365.html">https://lists.strongswan.org/pipermail/users/2015-January/007365.html</a>
. I also found a thread on the IPFire forum with a similar problem
that has lots of details (though sadly no replies) here:
<a class="moz-txt-link-freetext" href="http://forum.ipfire.org/viewtopic.php?f=27&t=12628">http://forum.ipfire.org/viewtopic.php?f=27&t=12628</a><br>
<br>
This is a snippet from my logs of when the collision occurred,
followed by a snippet when I issued "ipsec down TunnelName", where I
see errors about IPTables rules not existing. My question is whether
this is an issue with StrongSwan (I'm guessing no), or with IPFire
and the contents of the updown script that they have supplied (I'm
guessing that's it). I just want to make sure that I am barking up
the right tree while looking for a solution, so please let me know.<br>
<br>
Log snippet of collision:<br>
<code>Dec 14 13:17:28 ipfire charon: 11[KNL] creating rekey job for
CHILD_SA ESP/0xc68f239f/xxx.xxx.xxx.xxx<br>
Dec 14 13:17:28 ipfire charon: 11[IKE] establishing CHILD_SA
HudsonNew{38}<br>
Dec 14 13:17:28 ipfire charon: 11[IKE] establishing CHILD_SA
HudsonNew{38}<br>
Dec 14 13:17:28 ipfire charon: 11[ENC] generating CREATE_CHILD_SA
request 14 [ N(REKEY_SA) N(IPCOMP_SUP) SA No KE TSi TSr ]<br>
Dec 14 13:17:28 ipfire charon: 11[NET] sending packet: from
xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (344 bytes)<br>
Dec 14 13:17:28 ipfire charon: 05[NET] received packet: from
yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (444 bytes)<br>
Dec 14 13:17:28 ipfire charon: 05[ENC] parsed CREATE_CHILD_SA
request 10 [ N(REKEY_SA) N(IPCOMP_SUP) SA No KE TSi TSr ]<br>
Dec 14 13:17:28 ipfire charon: 05[IKE] CHILD_SA HudsonNew{10483}
established with SPIs cc94730d_i c654401c_o and TS 10.100.0.0/23
=== 192.168.0.0/24<br>
Dec 14 13:17:28 ipfire charon: 05[IKE] CHILD_SA HudsonNew{10483}
established with SPIs cc94730d_i c654401c_o and TS 10.100.0.0/23
=== 192.168.0.0/24<br>
Dec 14 13:17:28 ipfire charon: 05[IKE] detected CHILD_REKEY
collision with CHILD_REKEY<br>
Dec 14 13:17:28 ipfire charon: 05[ENC] generating CREATE_CHILD_SA
response 10 [ N(IPCOMP_SUP) SA No KE TSi TSr ]<br>
Dec 14 13:17:28 ipfire charon: 05[NET] sending packet: from
xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (332 bytes)<br>
Dec 14 13:17:28 ipfire charon: 12[NET] received packet: from
yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (332 bytes)<br>
Dec 14 13:17:28 ipfire charon: 12[ENC] parsed CREATE_CHILD_SA
response 14 [ N(IPCOMP_SUP) SA No KE TSi TSr ]<br>
Dec 14 13:17:28 ipfire charon: 12[IKE] CHILD_SA HudsonNew{10482}
established with SPIs cc4f7fb7_i ccc34f5a_o and TS 10.100.0.0/23
=== 192.168.0.0/24<br>
Dec 14 13:17:28 ipfire charon: 12[IKE] CHILD_SA HudsonNew{10482}
established with SPIs cc4f7fb7_i ccc34f5a_o and TS 10.100.0.0/23
=== 192.168.0.0/24<br>
Dec 14 13:17:28 ipfire charon: 12[IKE] CHILD_SA rekey collision
lost, deleting rekeyed child<br>
Dec 14 13:17:29 ipfire charon: 12[IKE] closing CHILD_SA
HudsonNew{10482} with SPIs cc4f7fb7_i (120 bytes) ccc34f5a_o (145
bytes) and TS 10.100.0.0/23 === 192.168.0.0/24<br>
Dec 14 13:17:29 ipfire charon: 12[IKE] closing CHILD_SA
HudsonNew{10482} with SPIs cc4f7fb7_i (120 bytes) ccc34f5a_o (145
bytes) and TS 10.100.0.0/23 === 192.168.0.0/24<br>
Dec 14 13:17:29 ipfire charon: 12[IKE] sending DELETE for ESP
CHILD_SA with SPI cc4f7fb7<br>
Dec 14 13:17:29 ipfire charon: 12[ENC] generating INFORMATIONAL
request 15 [ D ]<br>
Dec 14 13:17:29 ipfire charon: 12[NET] sending packet: from
xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (69 bytes)<br>
Dec 14 13:17:29 ipfire charon: 06[NET] received packet: from
yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (69 bytes)<br>
Dec 14 13:17:29 ipfire charon: 06[ENC] parsed INFORMATIONAL
request 11 [ D ]<br>
Dec 14 13:17:29 ipfire charon: 06[IKE] received DELETE for ESP
CHILD_SA with SPI c46ba5ea<br>
Dec 14 13:17:29 ipfire charon: 06[IKE] closing CHILD_SA
HudsonNew{10381} with SPIs c68f239f_i (83067013 bytes) c46ba5ea_o
(68814191 bytes) and TS 10.100.0.0/23 === 192.168.0.0/24<br>
Dec 14 13:17:29 ipfire charon: 06[IKE] closing CHILD_SA
HudsonNew{10381} with SPIs c68f239f_i (83067013 bytes) c46ba5ea_o
(68814191 bytes) and TS 10.100.0.0/23 === 192.168.0.0/24<br>
Dec 14 13:17:29 ipfire charon: 06[IKE] sending DELETE for ESP
CHILD_SA with SPI c68f239f<br>
Dec 14 13:17:29 ipfire charon: 06[IKE] CHILD_SA closed<br>
Dec 14 13:17:29 ipfire charon: 06[IKE] detected CHILD_REKEY
collision with CHILD_DELETE<br>
Dec 14 13:17:29 ipfire charon: 06[ENC] generating INFORMATIONAL
response 11 [ D ]<br>
Dec 14 13:17:29 ipfire charon: 06[NET] sending packet: from
xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (69 bytes)<br>
Dec 14 13:17:29 ipfire charon: 15[NET] received packet: from
yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (69 bytes)<br>
Dec 14 13:17:29 ipfire charon: 15[ENC] parsed INFORMATIONAL
response 15 [ D ]<br>
Dec 14 13:17:29 ipfire charon: 15[IKE] received DELETE for ESP
CHILD_SA with SPI ccc34f5a<br>
Dec 14 13:17:29 ipfire charon: 15[IKE] CHILD_SA closed<br>
Dec 14 13:17:29 ipfire vpn: client- C=US, ST=TX, O=MyOrg,
OU=Engineering Dept, CN=remoteoffice.mycompany.com 192.168.0.0/24
== yyy.yyy.yyy.yyy -- xxx.xxx.xxx.xxx == 10.100.0.0/23<br>
Dec 14 13:17:29 ipfire vpn: tunnel- yyy.yyy.yyy.yyy --
xxx.xxx.xxx.xxx<br>
Dec 14 13:17:29 ipfire vpn: snat- red0-xxx.xxx.xxx.xxx :
192.168.0.0/24 - 10.100.0.1<br>
<br>
After issuing "ipsec down TunnelName"<br>
</code><br>
<code>Dec 14 13:27:23 ipfire charon: 11[CFG] received stroke:
terminate 'HudsonNew'<br>
Dec 14 13:27:23 ipfire charon: 03[IKE] deleting IKE_SA
HudsonNew[365] between xxx.xxx.xxx.xxx[C=US, ST=TX, O=MyOrg,
OU=Engineering Dept,
CN=headquarters.mycompany.com]...yyy.yyy.yyy.yyy[C=US, ST=TX,
O=MyOrg, OU=Engineering Dept, CN=remoteoffice.mycompany.com]<br>
Dec 14 13:27:23 ipfire charon: 03[IKE] deleting IKE_SA
HudsonNew[365] between xxx.xxx.xxx.xxx[C=US, ST=TX, O=MyOrg,
OU=Engineering Dept,
CN=headquarters.mycompany.com]...yyy.yyy.yyy.yyy[C=US, ST=TX,
O=MyOrg, OU=Engineering Dept, CN=remoteoffice.mycompany.com]<br>
Dec 14 13:27:23 ipfire charon: 03[IKE] sending DELETE for IKE_SA
HudsonNew[365]<br>
Dec 14 13:27:23 ipfire charon: 03[ENC] generating INFORMATIONAL
request 17 [ D ]<br>
Dec 14 13:27:23 ipfire charon: 03[NET] sending packet: from
xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (65 bytes)<br>
Dec 14 13:27:23 ipfire charon: 10[NET] received packet: from
yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (57 bytes)<br>
Dec 14 13:27:23 ipfire charon: 10[ENC] parsed INFORMATIONAL
response 17 [ ]<br>
Dec 14 13:27:23 ipfire charon: 10[IKE] IKE_SA deleted<br>
Dec 14 13:27:23 ipfire charon: 10[IKE] IKE_SA deleted<br>
Dec 14 13:27:23 ipfire charon: 10[CHD] updown: iptables: No
chain/target/match by that name.<br>
Dec 14 13:27:23 ipfire charon: 10[CHD] updown: iptables: Bad rule
(does a matching rule exist in that chain?).<br>
Dec 14 13:27:23 ipfire charon: 10[CHD] updown: iptables: Bad rule
(does a matching rule exist in that chain?).<br>
Dec 14 13:27:23 ipfire charon: 10[CHD] updown: iptables: No
chain/target/match by that name.<br>
Dec 14 13:27:23 ipfire charon: 10[CHD] updown: iptables: Bad rule
(does a matching rule exist in that chain?).<br>
Dec 14 13:27:23 ipfire vpn: client- C=US, ST=TX, O=MyOrg,
OU=Engineering Dept, CN=remoteoffice.mycompany.com 192.168.0.0/24
== yyy.yyy.yyy.yyy -- xxx.xxx.xxx.xxx == 10.100.0.0/23<br>
Dec 14 13:27:23 ipfire charon: 10[CHD] updown: iptables: Bad rule
(does a matching rule exist in that chain?).<br>
Dec 14 13:27:23 ipfire last message repeated 2 times<br>
Dec 14 13:27:23 ipfire vpn: tunnel- yyy.yyy.yyy.yyy --
xxx.xxx.xxx.xxx<br>
Dec 14 13:27:23 ipfire charon: 10[CHD] updown: iptables: No
chain/target/match by that name.<br>
Dec 14 13:27:23 ipfire vpn: snat- unknown-xxx.xxx.xxx.xxx :
192.168.0.0/24 - 10.100.0.1</code>
</body>
</html>