[strongSwan] strongswan seems to go mad after some time
Christoph Anton Mitterer
calestyo at scientia.net
Mon Oct 4 11:50:20 CEST 2010
Hi.
I have (again ;) ) some problems with my strongswan. It seems to go crazy
after some time running.
It's basically the same configuration as described here
https://lists.strongswan.org/pipermail/users/2010-October/005328.html, just
with ike = esp = aes256-sha1-modp2048! now and one host having auto =
start while the other having auto = add
For some time after I started it (ipsec start) on both everything seems to
be ok.
There is one connection (AFAIU):
# ipsec status
Security Associations:
kronecker.scientia.net[1]: ESTABLISHED 4 minutes ago, 84.16.235.61[C=DE,
ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking,
CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net]
kronecker.scientia.net{1}: INSTALLED, TUNNEL, ESP SPIs: c9c91468_i
c5585f86_o
kronecker.scientia.net{1}: 84.16.235.61/32 === 77.37.6.134/32
And dpd INFORMAL packets are send every 30s (as configured):
Oct 4 11:40:59 hilbert charon: 16[NET] received packet: from
77.37.6.134[4500] to 84.16.235.61[4500]
Oct 4 11:40:59 hilbert charon: 16[ENC] parsed INFORMATIONAL request 4 [ ]
Oct 4 11:40:59 hilbert charon: 16[ENC] generating INFORMATIONAL response
4 [ ]
Oct 4 11:40:59 hilbert charon: 16[NET] sending packet: from
84.16.235.61[4500] to 77.37.6.134[4500]
Oct 4 11:41:29 hilbert charon: 01[NET] received packet: from
77.37.6.134[4500] to 84.16.235.61[4500]
Oct 4 11:41:29 hilbert charon: 01[ENC] parsed INFORMATIONAL request 5 [ ]
Oct 4 11:41:29 hilbert charon: 01[ENC] generating INFORMATIONAL response
5 [ ]
Oct 4 11:41:29 hilbert charon: 01[NET] sending packet: from
84.16.235.61[4500] to 77.37.6.134[4500]
btw: I do not understand why port 4500 is used. I shouldn't have a NATed
setup. Only the first
Oct 4 11:37:36 hilbert charon: 12[NET] sending packet: from
84.16.235.61[500] to 77.37.6.134[500]
Oct 4 11:37:37 hilbert charon: 15[NET] received packet: from
77.37.6.134[500] to 84.16.235.61[500]
Oct 4 11:37:37 hilbert charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
seems to use port 500.
Nevertheless.
After some time (an hour or so) the following seems to happen:
- INFORMAL messages are sent much more often (as far as I can see several
times per second)
- New connections are established (__many__ times per second)
- charon eats up about 10% of my CPU then.
The following seems to be "about" the point where the evil starts (but
INFORMAL messages frequency is already much higher than 30s there).
##########################################################################################################################################
Oct 4 05:58:07 hilbert charon: 16[ENC] parsed INFORMATIONAL request 267 [
]
Oct 4 05:58:07 hilbert charon: 16[ENC] generating INFORMATIONAL response
267 [ ]
Oct 4 05:58:07 hilbert charon: 16[NET] sending packet: from
84.16.235.61[4500] to 77.37.6.134[4500]
Oct 4 05:58:18 hilbert charon: 08[NET] received packet: from
77.37.6.134[4500] to 84.16.235.61[4500]
Oct 4 05:58:18 hilbert charon: 08[ENC] parsed INFORMATIONAL request 223 [
]
Oct 4 05:58:18 hilbert charon: 08[ENC] generating INFORMATIONAL response
223 [ ]
Oct 4 05:58:18 hilbert charon: 08[NET] sending packet: from
84.16.235.61[4500] to 77.37.6.134[4500]
Oct 4 05:58:28 hilbert charon: 12[NET] received packet: from
77.37.6.134[4500] to 84.16.235.61[4500]
Oct 4 05:58:28 hilbert charon: 12[ENC] parsed INFORMATIONAL request 268 [
D ]
Oct 4 05:58:28 hilbert charon: 12[IKE] received DELETE for IKE_SA
kronecker.scientia.net[2]
Oct 4 05:58:28 hilbert charon: 12[IKE] deleting IKE_SA
kronecker.scientia.net[2] between 84.16.235.61[C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Co
Oct 4 05:58:28 hilbert charon: 12[IKE] restarting CHILD_SA
kronecker.scientia.net
Oct 4 05:58:28 hilbert charon: 12[IKE] initiating IKE_SA
kronecker.scientia.net[4] to 77.37.6.134
Oct 4 05:58:28 hilbert charon: 12[ENC] generating IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 4 05:58:28 hilbert charon: 12[NET] sending packet: from
84.16.235.61[500] to 77.37.6.134[500]
Oct 4 05:58:28 hilbert charon: 12[IKE] IKE_SA deleted
Oct 4 05:58:28 hilbert charon: 12[ENC] generating INFORMATIONAL response
268 [ ]
Oct 4 05:58:28 hilbert charon: 12[NET] sending packet: from
84.16.235.61[4500] to 77.37.6.134[4500]
Oct 4 05:58:28 hilbert charon: 03[NET] received packet: from
77.37.6.134[500] to 84.16.235.61[500]
Oct 4 05:58:28 hilbert charon: 03[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 4 05:58:28 hilbert charon: 03[IKE] 77.37.6.134 is initiating an
IKE_SA
Oct 4 05:58:28 hilbert charon: 03[IKE] sending cert request for "C=DE,
ST=Freistaat Bayern, L=M?nchen, O=scientia.net, OU=Communications and
Networkin
Oct 4 05:58:28 hilbert charon: 03[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 4 05:58:28 hilbert charon: 03[NET] sending packet: from
84.16.235.61[500] to 77.37.6.134[500]
Oct 4 05:58:28 hilbert charon: 15[NET] received packet: from
77.37.6.134[500] to 84.16.235.61[500]
Oct 4 05:58:28 hilbert charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 4 05:58:28 hilbert charon: 15[IKE] received cert request for "C=DE,
ST=Freistaat Bayern, L=M?nchen, O=scientia.net, OU=Communications and
Networki
Oct 4 05:58:28 hilbert charon: 15[IKE] sending cert request for "C=DE,
ST=Freistaat Bayern, L=M?nchen, O=scientia.net, OU=Communications and
Networkin
Oct 4 05:58:29 hilbert charon: 15[IKE] authentication of 'C=DE,
ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking,
CN=hilbert.scie
Oct 4 05:58:29 hilbert charon: 15[IKE] sending end entity cert "C=DE,
ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking,
CN=hilber
Oct 4 05:58:29 hilbert charon: 15[IKE] establishing CHILD_SA
kronecker.scientia.net
Oct 4 05:58:29 hilbert charon: 15[ENC] generating IKE_AUTH request 1 [
IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
N(ADD_4_ADDR)
Oct 4 05:58:29 hilbert charon: 15[NET] sending packet: from
84.16.235.61[4500] to 77.37.6.134[4500]
Oct 4 05:58:29 hilbert charon: 02[NET] received packet: from
77.37.6.134[4500] to 84.16.235.61[4500]
Oct 4 05:58:29 hilbert charon: 02[ENC] parsed IKE_AUTH request 1 [ IDi
CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(AD
Oct 4 05:58:29 hilbert charon: 02[IKE] received cert request for "C=DE,
ST=Freistaat Bayern, L=M?nchen, O=scientia.net, OU=Communications and
Networki
Oct 4 05:58:29 hilbert charon: 02[IKE] received end entity cert "C=DE,
ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking,
CN=krone
Oct 4 05:58:29 hilbert charon: 02[CFG] looking for peer configs matching
84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications
and
Oct 4 05:58:29 hilbert charon: 02[CFG] selected peer config
'kronecker.scientia.net'
##########################################################################################################################################
In ipsec statusall this looks about this:
##########################################################################################################################################
root at hilbert:~# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.4.1):
uptime: 10 hours, since Oct 04 00:46:51 2010
malloc: sbrk 8548352, mmap 528384, used 2459088, free 6089264
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 14816
loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1
pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr resolve
kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5
eap-gtc eap-mschapv2 dhcp
Listening IP addresses:
84.16.235.61
84.16.242.145
84.16.226.65
84.16.242.146
Connections:
kronecker.scientia.net: 84.16.235.61...77.37.6.134, dpddelay=30s
kronecker.scientia.net: local: [C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]
uses public key authentication
kronecker.scientia.net: cert: "C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net"
kronecker.scientia.net: remote: [C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net] uses public key authentication
kronecker.scientia.net: child: dynamic === dynamic , dpdaction=restart
Security Associations:
kronecker.scientia.net[17515]: ESTABLISHED 11 minutes ago,
84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications
and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat
Bayern, O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net]
kronecker.scientia.net[17515]: IKE SPIs: fb65e86e78eecb88_i
030a6e93bb445170_r*, public key reauthentication in 2 hours
kronecker.scientia.net[17515]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
kronecker.scientia.net{17515}: INSTALLED, TUNNEL, ESP SPIs: c8f52903_i
c8ab07bb_o
kronecker.scientia.net{17515}: AES_CBC_256/HMAC_SHA1_96, 220 bytes_i, 0
bytes_o, rekeying in 35 minutes
kronecker.scientia.net{17515}: 84.16.235.61/32 === 77.37.6.134/32
kronecker.scientia.net[18206]: ESTABLISHED 0 seconds ago,
84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications
and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat
Bayern, O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net]
kronecker.scientia.net[18206]: IKE SPIs: fe4e57268867fb98_i*
0426fccdb6010cf3_r, public key reauthentication in 2 hours
kronecker.scientia.net[18206]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
kronecker.scientia.net{18206}: INSTALLED, TUNNEL, ESP SPIs: c0e64091_i
c38cfe64_o
kronecker.scientia.net{18206}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0
bytes_o, rekeying in 42 minutes
kronecker.scientia.net{18206}: 84.16.235.61/32 === 77.37.6.134/32
kronecker.scientia.net[18207]: CONNECTING, 84.16.235.61[C=DE, ST=Freistaat
Bayern, O=scientia.net, OU=Communications and Networking,
CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net]
kronecker.scientia.net[18207]: IKE SPIs: 1e1225a6d1866a50_i*
f872c329313ca40e_r
kronecker.scientia.net[18207]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
kronecker.scientia.net[18207]: Tasks active: IKE_CERT_PRE IKE_AUTHENTICATE
IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
root at hilbert:~# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.4.1):
uptime: 10 hours, since Oct 04 00:46:50 2010
malloc: sbrk 8548352, mmap 528384, used 2466656, free 6081696
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 14817
loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1
pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr resolve
kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5
eap-gtc eap-mschapv2 dhcp
Listening IP addresses:
84.16.235.61
84.16.242.145
84.16.226.65
84.16.242.146
Connections:
kronecker.scientia.net: 84.16.235.61...77.37.6.134, dpddelay=30s
kronecker.scientia.net: local: [C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]
uses public key authentication
kronecker.scientia.net: cert: "C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net"
kronecker.scientia.net: remote: [C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net] uses public key authentication
kronecker.scientia.net: child: dynamic === dynamic , dpdaction=restart
Security Associations:
kronecker.scientia.net[17515]: ESTABLISHED 11 minutes ago,
84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications
and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat
Bayern, O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net]
kronecker.scientia.net[17515]: IKE SPIs: fb65e86e78eecb88_i
030a6e93bb445170_r*, public key reauthentication in 2 hours
kronecker.scientia.net[17515]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
kronecker.scientia.net{17515}: INSTALLED, TUNNEL, ESP SPIs: c8f52903_i
c8ab07bb_o
kronecker.scientia.net{17515}: AES_CBC_256/HMAC_SHA1_96, 220 bytes_i, 0
bytes_o, rekeying in 35 minutes
kronecker.scientia.net{17515}: 84.16.235.61/32 === 77.37.6.134/32
kronecker.scientia.net[18207]: ESTABLISHED 1 second ago,
84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications
and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat
Bayern, O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net]
kronecker.scientia.net[18207]: IKE SPIs: 1e1225a6d1866a50_i*
f872c329313ca40e_r, public key reauthentication in 2 hours
kronecker.scientia.net[18207]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
kronecker.scientia.net{18207}: INSTALLED, TUNNEL, ESP SPIs: caa50641_i
c8d28561_o
kronecker.scientia.net{18207}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0
bytes_o, rekeying in 47 minutes
kronecker.scientia.net{18207}: 84.16.235.61/32 === 77.37.6.134/32
kronecker.scientia.net[18208]: CONNECTING,
84.16.235.61[%any]...77.37.6.134[%any]
kronecker.scientia.net[18208]: IKE SPIs: 6127ba544142a3a8_i*
0000000000000000_r
kronecker.scientia.net[18208]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD
IKE_CERT_PRE IKE_AUTHENTICATE IKE_CERT_POST IKE_CONFIG CHILD_CREATE
IKE_AUTH_LIFETIME IKE_MOBIKE
root at hilbert:~# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.4.1):
uptime: 10 hours, since Oct 04 00:46:51 2010
malloc: sbrk 8548352, mmap 528384, used 2460928, free 6087424
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 14814
loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1
pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr resolve
kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5
eap-gtc eap-mschapv2 dhcp
Listening IP addresses:
84.16.235.61
84.16.242.145
84.16.226.65
84.16.242.146
Connections:
kronecker.scientia.net: 84.16.235.61...77.37.6.134, dpddelay=30s
kronecker.scientia.net: local: [C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]
uses public key authentication
kronecker.scientia.net: cert: "C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net"
kronecker.scientia.net: remote: [C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net] uses public key authentication
kronecker.scientia.net: child: dynamic === dynamic , dpdaction=restart
Security Associations:
kronecker.scientia.net[17515]: ESTABLISHED 11 minutes ago,
84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications
and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat
Bayern, O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net]
kronecker.scientia.net[17515]: IKE SPIs: fb65e86e78eecb88_i
030a6e93bb445170_r*, public key reauthentication in 2 hours
kronecker.scientia.net[17515]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
kronecker.scientia.net{17515}: INSTALLED, TUNNEL, ESP SPIs: c8f52903_i
c8ab07bb_o
kronecker.scientia.net{17515}: AES_CBC_256/HMAC_SHA1_96, 220 bytes_i, 0
bytes_o, rekeying in 35 minutes
kronecker.scientia.net{17515}: 84.16.235.61/32 === 77.37.6.134/32
kronecker.scientia.net[18207]: ESTABLISHED 1 second ago,
84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications
and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat
Bayern, O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net]
kronecker.scientia.net[18207]: IKE SPIs: 1e1225a6d1866a50_i*
f872c329313ca40e_r, public key reauthentication in 2 hours
kronecker.scientia.net[18207]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
kronecker.scientia.net{18207}: INSTALLED, TUNNEL, ESP SPIs: caa50641_i
c8d28561_o
kronecker.scientia.net{18207}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0
bytes_o, rekeying in 47 minutes
kronecker.scientia.net{18207}: 84.16.235.61/32 === 77.37.6.134/32
kronecker.scientia.net[18208]: CONNECTING, 84.16.235.61[C=DE, ST=Freistaat
Bayern, O=scientia.net, OU=Communications and Networking,
CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net]
kronecker.scientia.net[18208]: IKE SPIs: 6127ba544142a3a8_i*
2c54836e4ef29bbc_r
kronecker.scientia.net[18208]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
kronecker.scientia.net[18208]: Tasks active: IKE_CERT_PRE IKE_AUTHENTICATE
IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
root at hilbert:~# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.4.1):
uptime: 10 hours, since Oct 04 00:46:50 2010
malloc: sbrk 8548352, mmap 528384, used 2458112, free 6090240
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 14814
loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1
pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr resolve
kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5
eap-gtc eap-mschapv2 dhcp
Listening IP addresses:
84.16.235.61
84.16.242.145
84.16.226.65
84.16.242.146
Connections:
kronecker.scientia.net: 84.16.235.61...77.37.6.134, dpddelay=30s
kronecker.scientia.net: local: [C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]
uses public key authentication
kronecker.scientia.net: cert: "C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net"
kronecker.scientia.net: remote: [C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net] uses public key authentication
kronecker.scientia.net: child: dynamic === dynamic , dpdaction=restart
Security Associations:
kronecker.scientia.net[17515]: ESTABLISHED 11 minutes ago,
84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications
and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat
Bayern, O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net]
kronecker.scientia.net[17515]: IKE SPIs: fb65e86e78eecb88_i
030a6e93bb445170_r*, public key reauthentication in 2 hours
kronecker.scientia.net[17515]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
kronecker.scientia.net{17515}: INSTALLED, TUNNEL, ESP SPIs: c8f52903_i
c8ab07bb_o
kronecker.scientia.net{17515}: AES_CBC_256/HMAC_SHA1_96, 220 bytes_i, 0
bytes_o, rekeying in 35 minutes
kronecker.scientia.net{17515}: 84.16.235.61/32 === 77.37.6.134/32
kronecker.scientia.net[18208]: ESTABLISHED 1 second ago,
84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications
and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat
Bayern, O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net]
kronecker.scientia.net[18208]: IKE SPIs: 6127ba544142a3a8_i*
2c54836e4ef29bbc_r, public key reauthentication in 2 hours
kronecker.scientia.net[18208]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
kronecker.scientia.net{18208}: INSTALLED, TUNNEL, ESP SPIs: cd0a3fb5_i
c83349d4_o
kronecker.scientia.net{18208}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0
bytes_o, rekeying in 45 minutes
kronecker.scientia.net{18208}: 84.16.235.61/32 === 77.37.6.134/32
kronecker.scientia.net[18209]: CONNECTING, 84.16.235.61[C=DE, ST=Freistaat
Bayern, O=scientia.net, OU=Communications and Networking,
CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net]
kronecker.scientia.net[18209]: IKE SPIs: 3c56c8240442f4c9_i*
c2885bfdc14f560b_r
kronecker.scientia.net[18209]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
kronecker.scientia.net[18209]: Tasks active: IKE_CERT_PRE IKE_AUTHENTICATE
IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
root at hilbert:~# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.4.1):
uptime: 10 hours, since Oct 04 00:46:50 2010
malloc: sbrk 8548352, mmap 528384, used 2462624, free 6085728
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 14817
loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1
pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr resolve
kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5
eap-gtc eap-mschapv2 dhcp
Listening IP addresses:
84.16.235.61
84.16.242.145
84.16.226.65
84.16.242.146
Connections:
kronecker.scientia.net: 84.16.235.61...77.37.6.134, dpddelay=30s
kronecker.scientia.net: local: [C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]
uses public key authentication
kronecker.scientia.net: cert: "C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net"
kronecker.scientia.net: remote: [C=DE, ST=Freistaat Bayern,
O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net] uses public key authentication
kronecker.scientia.net: child: dynamic === dynamic , dpdaction=restart
Security Associations:
kronecker.scientia.net[17515]: ESTABLISHED 11 minutes ago,
84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications
and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat
Bayern, O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net]
kronecker.scientia.net[17515]: IKE SPIs: fb65e86e78eecb88_i
030a6e93bb445170_r*, public key reauthentication in 2 hours
kronecker.scientia.net[17515]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
kronecker.scientia.net{17515}: INSTALLED, TUNNEL, ESP SPIs: c8f52903_i
c8ab07bb_o
kronecker.scientia.net{17515}: AES_CBC_256/HMAC_SHA1_96, 220 bytes_i, 0
bytes_o, rekeying in 35 minutes
kronecker.scientia.net{17515}: 84.16.235.61/32 === 77.37.6.134/32
kronecker.scientia.net[18209]: ESTABLISHED 1 second ago,
84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications
and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat
Bayern, O=scientia.net, OU=Communications and Networking,
CN=kronecker.scientia.net]
kronecker.scientia.net[18209]: IKE SPIs: 3c56c8240442f4c9_i*
c2885bfdc14f560b_r, public key reauthentication in 2 hours
kronecker.scientia.net[18209]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
kronecker.scientia.net{18209}: INSTALLED, TUNNEL, ESP SPIs: cb22196e_i
c843dc57_o
kronecker.scientia.net{18209}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0
bytes_o, rekeying in 48 minutes
kronecker.scientia.net{18209}: 84.16.235.61/32 === 77.37.6.134/32
kronecker.scientia.net[18210]: CONNECTING,
84.16.235.61[%any]...77.37.6.134[%any]
kronecker.scientia.net[18210]: IKE SPIs: 8102cd7e34a1634b_i*
0000000000000000_r
kronecker.scientia.net[18210]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD
IKE_CERT_PRE IKE_AUTHENTICATE IKE_CERT_POST IKE_CONFIG CHILD_CREATE
IKE_AUTH_LIFETIME IKE_MOBIKE
##########################################################################################################################################
Seems that one connection (17515) stays, and the other counts up.
I made those ipsec statusall directly after each other.
Any idea what I do wrong?
Thanks in advance,
Chris.
More information about the Users
mailing list