[strongSwan-dev] ESP packets dropped.

bhashkar prakash singh singh.bhashkar at gmail.com
Sat Jun 20 06:22:44 CEST 2015 

Hi,

I need some help on peculiar problem that we are  facing in his IPSec
setup.

First of all I will mention the kind of IPSec setup customer using in his
network.

​
 Cust.jpg
<https://drive.google.com/file/d/0B4ZfPbrUfHkZa2FRZkNjeVo0Y0k/edit?usp=drive_web>
​
Cutstomer has network as per attached diagram. my device (In diagram cell
sites) has two routes via Cisco router AR1 and AR2 to Juniper gateway. Path
via AR1 is primary route through which IPSec tunnels are established. If
primary link goes down, sites has BFD protocol enabled and it detects the
link down and path is rer-route  via router AR2.

Problem customer is facing when primary link goes down, BFD is detecting
the link down and rerouting is also happenning properly but we are seeing
ESP packets dropped.
generally after reroute packets should flow in such way that nothing has
happened because BFD has detected has link down and it has added new route.
But Packets are getting dropped due to spi mismatch. Device recovers only
when rekey happens  . Rekey time is 2 hours. Initially we doubted may be
the network has issue via router AR2 or Gateway is misbehaving, but than
device should not receive ESP packets.



In our application code we are seeing many tunnel deletion request is
coming from strongswan via netlink messages for spi that do not exist now.
These are huge in no. It looks like strongswan or linux kernal has stored
all the old spi that were used sometime in past for packet encryption and
decryption. And when present tunnel goes down, it is trying to delete all
the past tunel for all old spi. But since tunnel is not present, spi not
found prints are coming. * But my doubt is why tunnel deletion request is
coming for spi that does not exist* ? Generally when a tunnel is deleted
due to rekey or some other problem, all tunnesl and corresponding spi
shluld be cleared at once.

not present                                   468   468   2258133644
 43081367 OCT_System           WARNING Wed Apr 22 2015 08:41:31 768ms
syslogd.c(134)                 OCT_syslogd: ipda_cv:
processXfrmSaMessage(): conn(*spi=0xcfa6556b*,dstIp=0xa00a194) not present
                                  468   468   2260373638
 43081380 OCT_System           WARNING Wed Apr 22 2015 08:41:32 658ms
syslogd.c(134)                 OCT_syslogd: ipda_cv:
processXfrmSaMessage(): conn(*spi=0xcae0db97*,dstIp=0xa00a194) not present
                                  468   468   2261263695
 43081395 OCT_System           WARNING Wed Apr 22 2015 08:41:34 487ms
syslogd.c(134)                 OCT_syslogd: ipda_cv:
processXfrmSaMessage(): conn(spi=0xc7469ad2,dstIp=0xa00a194) not present
                                468   468   2263093559
 43081408 OCT_System           WARNING Wed Apr 22 2015 08:41:35 367ms
syslogd.c(134)                 OCT_syslogd: ipda_cv:
processXfrmSaMessage(): conn(spi=0xc3d42a66,dstIp=0xa00a194) not present
                                468   468   2263973563


Also, we are seeing a lot of prints in strongswan like this :
It looks like strongswan is trying to establish CHILD_SA but it is not able
to to do so:

 43088969 OCT_syslogd          INFO    Wed Apr 22 2015 08:53:19 888ms
syslogd.c(134)                 charon: 12[IKE] establishing CHILD_SA
conn10{6}
               468   468   2968494109
 43088970 OCT_syslogd          INFO    Wed Apr 22 2015 08:53:19 888ms
syslogd.c(134)                 charon: 12[IKE] establishing CHILD_SA
conn10{6}

I am not able to under stand why these many prints are coming as above and
why trongswan is taking so much time to established CHILD_SA?

And finally we are seeing CHILD_SA is established.
Once CHILD_SA is established, everything is fine. Packets  site recover and
packets start flowing.

43090893 OCT_syslogd          INFO    Wed Apr 22 2015 08:55:54 838ms
syslogd.c(134)                 charon: 11[IKE] CHILD_SA conn10{14}
established with SPIs c6d3b37b_i 055e896c_o and TS 0.0.0.0/0 === 0.0.0.0/0
                  468   468   3123443800
 43090894 OCT_syslogd          INFO    Wed Apr 22 2015 08:55:54 838ms
syslogd.c(134)                 charon: 11[IKE] CHILD_SA conn10{14}
established with SPIs c6d3b37b_i 055e896c_o and TS 0.0.0.0/0 === 0.0.0.0/0
                  468   468   3123443824

Any input about above symptoms will be great help.

Thanks & Regards,
Bhashkar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150620/89acdeb5/attachment.html>

More information about the Dev mailing list