[strongSwan] multiple tunnels established for one connection (IKEv2)
Matthias Läßig
mla at apob.net
Tue Oct 19 19:19:10 CEST 2010
Hi all,
I have strongswan 4.3.5 working between two Linux 2.6 gateways, routing etc. is working perfectly. When looking at the established connections I'm getting:
000 Status of IKEv1 pluto daemon (strongSwan 4.3.5):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface lo/lo 127.0.0.2:4500
000 interface lo/lo 127.0.0.2:500
000 interface eth0/eth0 10.0.0.252:4500
000 interface eth0/eth0 10.0.0.252:500
000 interface eth1/eth1 10.0.0.5:4500
000 interface eth1/eth1 10.0.0.5:500
000 %myid = '%any'
000 loaded plugins: curl aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem hmac gmp
000 debug options: none
000
Status of IKEv2 charon daemon (strongSwan 4.3.5):
uptime: 117 seconds, since Oct 19 17:04:44 2010
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 4
loaded plugins: curl aes des sha1 sha2 md5 fips-prf random x509 pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown attr resolve
Listening IP addresses:
10.0.0.252
10.0.0.5
Connections:
tanzplatz-h3x2: 10.0.0.252...88.198.14.125
tanzplatz-h3x2: local: [C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, E=info at apob.net] uses public key authentication
tanzplatz-h3x2: cert: "C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, E=info at apob.net"
tanzplatz-h3x2: remote: [C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info at apob.net] uses any authentication
tanzplatz-h3x2: cert: "C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info at apob.net"
tanzplatz-h3x2: child: 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24
Security Associations:
tanzplatz-h3x2[1]: ESTABLISHED 114 seconds ago, 10.0.0.252[C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, E=info at apob.net]...88.198.14.125[C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info at apob.net]
tanzplatz-h3x2[1]: IKE SPIs: 80f47cac247b838c_i* a6eef15b1c4cafc5_r, public key reauthentication in 2 hours
tanzplatz-h3x2[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tanzplatz-h3x2{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cb001dde_i cb487bdb_o
tanzplatz-h3x2{1}: AES_CBC_128/HMAC_SHA1_96, 152 bytes_i (15s ago), 0 bytes_o, rekeying in 41 minutes
tanzplatz-h3x2{1}: 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24
tanzplatz-h3x2{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: ca0c17ef_i c24d0e02_o
tanzplatz-h3x2{2}: AES_CBC_128/HMAC_SHA1_96, 17994 bytes_i (15s ago), 16661 bytes_o (14s ago), rekeying in 46 minutes
tanzplatz-h3x2{2}: 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24
The longer the SA is up, the more tunnels I get. All of them are being rekeyed. After 24 hours there are hundreds of them up. Is there a way to prevent this as I don't think this is the expected behaviour?
Here's my ipsec.conf:
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file: /usr/share/doc/packages/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
#plutodebug="all"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
# nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
#
# Certificate Revocation List handling:
crlcheckinterval=600
strictcrlpolicy=no
#
# Change rp_filter setting? (default is 0, disabled)
# See also setting in the /etc/sysctl.conf file!
#rp_filter=%unchanged
#
# Workaround to setup all tunnels immediately, since the new default
# of "plutowait=no" causes "Resource temporarily unavailable" errors
# for the first connect attempt over each tunnel, that is delayed to
# be established later / on demand.
#
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
# keyingtries default to %forever
#keyingtries=3
# Sig keys (default: %dnsondemand)
leftrsasigkey=%cert
rightrsasigkey=%cert
# Lifetimes, defaults are 1h/8hrs
#ikelifetime=20m
#keylife=1h
#rekeymargin=8m
#Disable Opportunistic Encryption
include /usr/local/etc/ipsec.d/examples/no_oe.conf
ca apob.net
cacert=apob.pem
crluri=http://ca.apob.net/ca-crl.crl
auto=add
# Add connections here
conn tanzplatz-h3x2
authby=rsasig
left=10.0.0.252
leftcert=elias.pem
leftsubnet=10.0.0.0/24
right=88.198.14.125
rightsubnet=10.1.0.0/24,172.16.8.0/24
rightcert=h3x2.pem
compress=no
keyexchange=ikev2
keyingtries=%forever
rekeyfuzz = 100%
pfs = yes
mobike=no
auto=start
And all the charon messages from syslog:
Oct 19 17:04:43 tanzplatz charon: 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.5)
Oct 19 17:04:43 tanzplatz charon: 01[KNL] listening on interfaces:
Oct 19 17:04:43 tanzplatz charon: 01[KNL] eth0
Oct 19 17:04:43 tanzplatz charon: 01[KNL] 10.0.0.252
Oct 19 17:04:43 tanzplatz charon: 01[KNL] fe80::6ef0:49ff:fe13:64a7
Oct 19 17:04:43 tanzplatz charon: 01[KNL] eth1
Oct 19 17:04:43 tanzplatz charon: 01[KNL] 10.0.0.5
Oct 19 17:04:43 tanzplatz charon: 01[KNL] fe80::21b:21ff:fe1b:f53d
Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Oct 19 17:04:43 tanzplatz charon: 01[CFG] loaded ca certificate "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services, CN=apob.net Certification Authority, E=info at ca.apob.net" from '/usr/local/etc/ipsec.d/cacerts/apob.pem'
Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Oct 19 17:04:43 tanzplatz charon: 01[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/elias.key'
Oct 19 17:04:43 tanzplatz charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 fips-prf random x509 pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown attr resolve
Oct 19 17:04:43 tanzplatz charon: 01[JOB] spawning 16 worker threads
Oct 19 17:04:43 tanzplatz ipsec_starter[7194]: charon (7222) started after 20 ms
Oct 19 17:04:43 tanzplatz charon: 05[CFG] received stroke: add ca 'apob.net'
Oct 19 17:04:43 tanzplatz charon: 05[CFG] added ca 'apob.net'
Oct 19 17:04:43 tanzplatz charon: 05[CFG] received stroke: add connection 'tanzplatz-h3x2'
Oct 19 17:04:43 tanzplatz charon: 05[CFG] loaded certificate "C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, E=info at apob.net" from 'elias.pem'
Oct 19 17:04:43 tanzplatz charon: 05[CFG] peerid 10.0.0.252 not confirmed by certificate, defaulting to subject DN: C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, E=info at apob.net
Oct 19 17:04:43 tanzplatz charon: 05[CFG] loaded certificate "C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info at apob.net" from 'h3x2.pem'
Oct 19 17:04:43 tanzplatz charon: 05[CFG] peerid 88.198.14.125 not confirmed by certificate, defaulting to subject DN: C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info at apob.net
Oct 19 17:04:43 tanzplatz charon: 05[CFG] added configuration 'tanzplatz-h3x2'
Oct 19 17:04:43 tanzplatz charon: 05[CFG] received stroke: initiate 'tanzplatz-h3x2'
Oct 19 17:04:43 tanzplatz charon: 05[IKE] initiating IKE_SA tanzplatz-h3x2[1] to 88.198.14.125
Oct 19 17:04:43 tanzplatz charon: 05[IKE] initiating IKE_SA tanzplatz-h3x2[1] to 88.198.14.125
Oct 19 17:04:43 tanzplatz charon: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 19 17:04:43 tanzplatz charon: 05[NET] sending packet: from 10.0.0.252[500] to 88.198.14.125[500]
Oct 19 17:04:44 tanzplatz charon: 14[NET] received packet: from 88.198.14.125[500] to 10.0.0.252[500]
Oct 19 17:04:44 tanzplatz charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 19 17:04:44 tanzplatz charon: 14[IKE] local host is behind NAT, sending keep alives
Oct 19 17:04:44 tanzplatz charon: 14[IKE] received cert request for "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services, CN=apob.net Certification Authority, E=info at ca.apob.net"
Oct 19 17:04:44 tanzplatz charon: 14[IKE] sending cert request for "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services, CN=apob.net Certification Authority, E=info at ca.apob.net"
Oct 19 17:04:44 tanzplatz charon: 14[IKE] authentication of 'C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, E=info at apob.net' (myself) with RSA signature successful
Oct 19 17:04:44 tanzplatz charon: 14[IKE] sending end entity cert "C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, E=info at apob.net"
Oct 19 17:04:44 tanzplatz charon: 14[IKE] establishing CHILD_SA tanzplatz-h3x2
Oct 19 17:04:44 tanzplatz charon: 14[IKE] establishing CHILD_SA tanzplatz-h3x2
Oct 19 17:04:44 tanzplatz charon: 14[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) ]
Oct 19 17:04:44 tanzplatz charon: 14[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]
Oct 19 17:04:46 tanzplatz charon: 17[NET] received packet: from 88.198.14.125[4500] to 10.0.0.252[4500]
Oct 19 17:04:46 tanzplatz charon: 17[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
Oct 19 17:04:46 tanzplatz charon: 17[IKE] received end entity cert "C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info at apob.net"
Oct 19 17:04:46 tanzplatz charon: 17[CFG] using trusted ca certificate "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services, CN=apob.net Certification Authority, E=info at ca.apob.net"
Oct 19 17:04:46 tanzplatz charon: 17[CFG] checking certificate status of "C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info at apob.net"
Oct 19 17:04:46 tanzplatz charon: 17[CFG] fetching crl from 'http://ca.apob.net/ca-crl.crl' ...
Oct 19 17:04:46 tanzplatz charon: 17[CFG] using trusted certificate "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services, CN=apob.net Certification Authority, E=info at ca.apob.net"
Oct 19 17:04:46 tanzplatz charon: 17[CFG] crl correctly signed by "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services, CN=apob.net Certification Authority, E=info at ca.apob.net"
Oct 19 17:04:46 tanzplatz charon: 17[CFG] crl is valid: until Oct 26 00:05:02 2010
Oct 19 17:04:46 tanzplatz charon: 17[CFG] certificate status is good
Oct 19 17:04:46 tanzplatz charon: 17[CFG] using trusted certificate "C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info at apob.net"
Oct 19 17:04:46 tanzplatz charon: 17[IKE] authentication of 'C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info at apob.net' with RSA signature successful
Oct 19 17:04:46 tanzplatz charon: 17[IKE] IKE_SA tanzplatz-h3x2[1] established between 10.0.0.252[C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, E=info at apob.net]...88.198.14.125[C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info at apob.net]
Oct 19 17:04:46 tanzplatz charon: 17[IKE] IKE_SA tanzplatz-h3x2[1] established between 10.0.0.252[C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, E=info at apob.net]...88.198.14.125[C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info at apob.net]
Oct 19 17:04:46 tanzplatz charon: 17[IKE] scheduling reauthentication in 9844s
Oct 19 17:04:46 tanzplatz charon: 17[IKE] maximum IKE_SA lifetime 10384s
Oct 19 17:04:46 tanzplatz charon: 17[IKE] CHILD_SA tanzplatz-h3x2{1} established with SPIs cb001dde_i cb487bdb_o and TS 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24
Oct 19 17:04:46 tanzplatz charon: 17[IKE] CHILD_SA tanzplatz-h3x2{1} established with SPIs cb001dde_i cb487bdb_o and TS 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24
Oct 19 17:04:46 tanzplatz charon: 17[IKE] received AUTH_LIFETIME of 9827s, scheduling reauthentication in 9287s
Oct 19 17:05:01 tanzplatz charon: 08[CFG] received stroke: initiate 'tanzplatz-h3x2'
Oct 19 17:05:01 tanzplatz charon: 13[IKE] establishing CHILD_SA tanzplatz-h3x2
Oct 19 17:05:01 tanzplatz charon: 13[IKE] establishing CHILD_SA tanzplatz-h3x2
Oct 19 17:05:01 tanzplatz charon: 13[ENC] generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
Oct 19 17:05:01 tanzplatz charon: 13[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]
Oct 19 17:05:03 tanzplatz charon: 12[NET] received packet: from 88.198.14.125[4500] to 10.0.0.252[4500]
Oct 19 17:05:03 tanzplatz charon: 12[ENC] parsed CREATE_CHILD_SA response 2 [ SA No TSi TSr ]
Oct 19 17:05:03 tanzplatz charon: 12[IKE] CHILD_SA tanzplatz-h3x2{2} established with SPIs ca0c17ef_i c24d0e02_o and TS 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24
Oct 19 17:05:03 tanzplatz charon: 12[IKE] CHILD_SA tanzplatz-h3x2{2} established with SPIs ca0c17ef_i c24d0e02_o and TS 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24
Oct 19 17:06:16 tanzplatz charon: 15[IKE] sending keep alive
Oct 19 17:06:16 tanzplatz charon: 15[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]
Oct 19 17:06:46 tanzplatz charon: 09[IKE] sending keep alive
Oct 19 17:06:46 tanzplatz charon: 09[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]
Oct 19 17:07:19 tanzplatz charon: 15[IKE] sending keep alive
Oct 19 17:07:19 tanzplatz charon: 15[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]
Oct 19 17:07:39 tanzplatz charon: 13[IKE] sending keep alive
Oct 19 17:07:39 tanzplatz charon: 13[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]
Oct 19 17:08:15 tanzplatz charon: 10[IKE] sending keep alive
Oct 19 17:08:15 tanzplatz charon: 10[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]
Oct 19 17:09:19 tanzplatz charon: 05[IKE] sending keep alive
Oct 19 17:09:19 tanzplatz charon: 05[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]
Oct 19 17:09:45 tanzplatz charon: 16[IKE] sending keep alive
Oct 19 17:09:45 tanzplatz charon: 16[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]
Oct 19 17:10:01 tanzplatz charon: 15[CFG] received stroke: initiate 'tanzplatz-h3x2'
Oct 19 17:10:01 tanzplatz charon: 12[IKE] establishing CHILD_SA tanzplatz-h3x2
Oct 19 17:10:01 tanzplatz charon: 12[IKE] establishing CHILD_SA tanzplatz-h3x2
Oct 19 17:10:01 tanzplatz charon: 12[ENC] generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ]
Oct 19 17:10:01 tanzplatz charon: 12[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]
Oct 19 17:10:01 tanzplatz charon: 10[NET] received packet: from 88.198.14.125[4500] to 10.0.0.252[4500]
Oct 19 17:10:01 tanzplatz charon: 10[ENC] parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ]
Oct 19 17:10:01 tanzplatz charon: 10[IKE] CHILD_SA tanzplatz-h3x2{3} established with SPIs c8fcffcc_i cde77e67_o and TS 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24
Oct 19 17:10:01 tanzplatz charon: 10[IKE] CHILD_SA tanzplatz-h3x2{3} established with SPIs c8fcffcc_i cde77e67_o and TS 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24
Oct 19 17:10:32 tanzplatz charon: 05[IKE] sending keep alive
Oct 19 17:10:32 tanzplatz charon: 05[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]
Oct 19 17:10:52 tanzplatz charon: 09[IKE] sending keep alive
Oct 19 17:10:52 tanzplatz charon: 09[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]
Oct 19 17:11:12 tanzplatz charon: 16[IKE] sending keep alive
Oct 19 17:11:12 tanzplatz charon: 16[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]
Oct 19 17:12:13 tanzplatz charon: 15[IKE] sending keep alive
Oct 19 17:12:13 tanzplatz charon: 15[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]
Oct 19 17:12:47 tanzplatz charon: 08[IKE] sending keep alive
Oct 19 17:12:47 tanzplatz charon: 08[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]
I hope someone has a fix for this.
KInd Regards,
Matthias
Matthias Läßig | certified it security specialist
fon: +49.89.4209548370 | fax: +49.89.4209548379 | mobile: +49.162.2470635
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101019/59b562db/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2723 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101019/59b562db/attachment.bin>
More information about the Users
mailing list