[strongSwan-dev] [StrongSwan]:IPSEC: StrongSwan: reqid mismatching between SA and SP
jegathesh malaiyappan
mjegakathir at gmail.com
Tue Jan 8 07:11:56 CET 2013
>
> Hi All,
>
> Strongswan Version: Linux strongSwan U4.5.0/K2.6.32.58
>
> I am facing the issue in allocating the req id for IPSec tunnel and
> Policy.
>
> If we have both the side become a initiator then two SA (in & out) tunnels
> created for Single SP.
>
> "reqid" is mismatching between SA and SP.
>
> Node A <------------> Node B
>
> Tunnel established between Node A and Node B.
>
> I am sending the Ping from Node A to Node B and its failing.
>
> Sender Side: (PING Request)
> =========================
>
> root at 10:~ >ping -I 2.2.2.2 12.12.12.12
> PING 12.12.12.12 (12.12.12.12) from 2.2.2.2 : 56(84) bytes of data.
> 01:21:03.207543 IP 10.10.10.10 > 10.10.10.11: ESP(spi=0xc869e935,seq=0x1f),
> length 96
> 01:21:04.208366 IP 10.10.10.10 > 10.10.10.11:
> ESP(spi=0xc869e935,seq=0x20), length 96
>
> Security Association Table:
> ========================
> root at 10:~ >ip x s
> src 10.10.10.10 dst 10.10.10.11
> proto esp spi 0xc869e935 reqid 1 mode tunnel
> replay-window 0 flag 20
> auth hmac(sha1) 0x000e5af11f3ff6385af7c1452e1e472b5e997f16
> enc cbc(aes) 0x6eca8ddfa393bb18207de3e75e60bd1d
> src 10.10.10.11 dst 10.10.10.10
> proto esp spi 0xc699d2d5 reqid 1 mode tunnel
> replay-window 0 flag 20
> auth hmac(sha1) 0xc8b39b92ac18c211f5eb32cd6d7d9e10095b0413
> enc cbc(aes) 0x4997e1f2a391bfdaf1e251fcd18eafd7
> src 10.10.10.10 dst 10.10.10.11
> proto esp spi 0xc6c50120 reqid 2 mode tunnel
> replay-window 0 flag 20
> auth hmac(sha1) 0xf132e706c40deeda21e9147f2dee624423468fa0
> enc cbc(aes) 0xafdf0fa8e923e35112ace1975044cc75
> src 10.10.10.11 dst 10.10.10.10
> proto esp spi 0xc599369c reqid 2 mode tunnel
> replay-window 0 flag 20
> auth hmac(sha1) 0xbf6a1a52216d4daebb5bb18f9b84e119a7248c9e
> enc cbc(aes) 0xed45eb6c03ae379b0c51c6739fb74bf9
> root at 10:~ >
>
>
> Receiver Side:
> =============
> root at 10:~ >01:23:28.005013 IP 10.10.10.10 > 10.10.10.11: ESP(
> spi=0xc869e935,seq=0x22), length 94
> 01:23:28.005090 IP 2.2.2.2 > 12.12.12.12: ICMP echo request, id 10901,
> seq 1, length 64
>
> Security Association:
> =================
> root at 10:~ >ip x s
> src 10.10.10.11 dst 10.10.10.10
> proto esp spi 0xc599369c reqid 1 mode tunnel
> replay-window 0 flag 20
> auth hmac(sha1) 0xbf6a1a52216d4daebb5bb18f9b84e119a7248c9e
> enc cbc(aes) 0xed45eb6c03ae379b0c51c6739fb74bf9
> src 10.10.10.10 dst 10.10.10.11
> proto esp spi 0xc6c50120 reqid 1 mode tunnel
> replay-window 0 flag 20
> auth hmac(sha1) 0xf132e706c40deeda21e9147f2dee624423468fa0
> enc cbc(aes) 0xafdf0fa8e923e35112ace1975044cc75
> src 10.10.10.11 dst 10.10.10.10
> proto esp spi 0xc699d2d5 reqid 2 mode tunnel
> replay-window 0 flag 20
> auth hmac(sha1) 0xc8b39b92ac18c211f5eb32cd6d7d9e10095b0413
> enc cbc(aes) 0x4997e1f2a391bfdaf1e251fcd18eafd7
> src 10.10.10.10 dst 10.10.10.11
> proto esp spi 0xc869e935 reqid 2 mode tunnel
> replay-window 0 flag 20
> auth hmac(sha1) 0x000e5af11f3ff6385af7c1452e1e472b5e997f16
> enc cbc(aes) 0x6eca8ddfa393bb18207de3e75e60bd1d
>
> Security Policy:
> =============
> root at 10:~ >ip x p
> src 2.2.2.2/32 dst 12.12.12.12/32
> dir fwd priority 1
> tmpl src 10.10.10.10 dst 10.10.10.11
> proto esp reqid 1 mode tunnel
> src 2.2.2.2/32 dst 12.12.12.12/32
> dir in priority 1
> tmpl src 10.10.10.10 dst 10.10.10.11
> proto esp reqid 1 mode tunnel
> src 12.12.12.12/32 dst 2.2.2.2/32
> dir out priority 1
> tmpl src 10.10.10.11 dst 10.10.10.10
> proto esp reqid 1 mode tunnel
>
>
> root at 10:~ >cat /proc/net/xfrm_stat
> XfrmInError 0
> XfrmInBufferError 0
> XfrmInHdrError 0
> XfrmInNoStates 10
> XfrmInStateProtoError 0
> XfrmInStateModeError 0
> XfrmInStateSeqError 0
> XfrmInStateExpired 0
> XfrmInStateMismatch 0
> XfrmInStateInvalid 0
> XfrmInTmplMismatch 121
> XfrmInNoPols 0
> XfrmInPolBlock 0
>
>
> Please help me on this.
>
> Thanks.
>
> Regards,
> Jegathesh
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20130108/e5c18872/attachment.html>
More information about the Dev
mailing list