[strongSwan-dev] StrongSwan negotiated two pairs of IPsec SAs that lead to occasional connectivity issue
Ansis Atteka
aatteka at nicira.com
Sat Aug 1 04:35:30 CEST 2015
We are seeing occasional connectivity issues caused by IPsec (either
by Linux Kernel IPsec stack or StrongSwan). At the time of seeing this
connectivity issue I captured output of:
1) ip -s xfrm state
2) ip -s xfrm policy
3) ipsec statusall
Raw output of those commands is in the attachment (host .148 and
.149). After looking into the 'ip xfrm" output I decided to create a
shell script that would manually restore Linux Kernel IPsec
configuration to the same state that strongSwan pushed to it. This way
I was able to reproduce this bug 100% of the time (see scripts
spoofer_on_148 and spoofer_on_149 that restore XFRM state in the Linux
kernel to what strongSwan pushed).
Basically the sympthoms of this bug are:
1) It goes away on IKE_SA rekey
2) And for one IPsec SA bytes_o remains set to 0 while for the other
SA bytes_i remains set to 0 (like if both SAs are being partially
used):
192.168.2.149{1}: AES_CBC_128/HMAC_SHA1_96, *0 bytes_i*, 12871
bytes_o (111 pkts, 34s ago), rekeying in 33 minutes
192.168.2.149{4}: AES_CBC_128/HMAC_SHA1_96, 45023 bytes_i (724 pkts,
0s ago), *0 bytes_o*, rekeying in 35 minutes
Is this a known issue?
Best regards,
Ansis Atteka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: policies_148
Type: application/octet-stream
Size: 5290 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150731/165029f8/attachment-0008.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: state_148
Type: application/octet-stream
Size: 4186 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150731/165029f8/attachment-0009.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: statusall_148
Type: application/octet-stream
Size: 3608 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150731/165029f8/attachment-0010.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: policies_149
Type: application/octet-stream
Size: 5290 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150731/165029f8/attachment-0011.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: statusall_149
Type: application/octet-stream
Size: 3604 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150731/165029f8/attachment-0012.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: state_149
Type: application/octet-stream
Size: 4183 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150731/165029f8/attachment-0013.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spoofer_on_148
Type: application/octet-stream
Size: 1216 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150731/165029f8/attachment-0014.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spoofer_on_149
Type: application/octet-stream
Size: 1254 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150731/165029f8/attachment-0015.obj>
More information about the Dev
mailing list