[strongSwan] Why does charon delete all IKE_SA?
Myoung-kyun Choi
mgchoi at contela.com
Tue Sep 7 20:46:24 CEST 2010
Hello
Charon delete all IKE_SA airwalk[1], airwalk[2] at Sep 7 04:44:18.
I think that rekey, dpd do not make this.
Why does charon delete all IKE_SA?
Sep 7 03:05:18 PANDORA authpriv.warn ipsec_starter[418]: Starting
strongSwan 4.3.3 IPsec [starter]...
Sep 7 03:05:18 PANDORA daemon.info charon: 01[DMN] Starting IKEv2 charon
daemon (strongSwan 4.3.3)
Sep 7 03:05:19 PANDORA daemon.info charon: 01[KNL] listening on interfaces:
Sep 7 03:05:19 PANDORA daemon.info charon: 01[KNL] eth0
Sep 7 03:05:19 PANDORA daemon.info charon: 01[KNL] aaa.bbb.cc.dd
Sep 7 03:05:19 PANDORA daemon.info charon: 01[KNL]
xxxx::xxx:xxx:xxxx:xxxx
Sep 7 03:05:19 PANDORA daemon.info charon: 01[CFG] loading ca certificates
from '/etc/ipsec.d/cacerts'
Sep 7 03:05:19 PANDORA daemon.info charon: 01[CFG] loading aa certificates
from '/etc/ipsec.d/aacerts'
Sep 7 03:05:19 PANDORA daemon.info charon: 01[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Sep 7 03:05:19 PANDORA daemon.info charon: 01[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts'
Sep 7 03:05:19 PANDORA daemon.info charon: 01[CFG] loading crls from
'/etc/ipsec.d/crls'
Sep 7 03:05:19 PANDORA daemon.info charon: 01[CFG] loading secrets from
'/etc/ipsec.secrets'
Sep 7 03:05:19 PANDORA daemon.info charon: 01[CFG] loaded IKE secret for
11.com
Sep 7 03:05:19 PANDORA daemon.info charon: 01[DMN] loaded plugins: aes des
sha1 sha2 md5 fips-prf random x509 pubkey xcbc hmac gmp kernel-netlink
stroke updown attr resolv-conf
Sep 7 03:05:19 PANDORA daemon.info charon: 01[JOB] spawning 16 worker
threads
Sep 7 03:05:19 PANDORA authpriv.warn ipsec_starter[425]: charon (426)
started after 180 ms
Sep 7 03:05:19 PANDORA daemon.info charon: 05[CFG] received stroke: add
connection 'airwalk'
Sep 7 03:05:19 PANDORA daemon.info charon: 05[CFG] added configuration
'airwalk'
Sep 7 03:05:19 PANDORA daemon.info charon: 05[CFG] received stroke:
initiate 'airwalk'
Sep 7 03:05:19 PANDORA daemon.info charon: 05[IKE] initiating IKE_SA
airwalk[1] to www.xx.yyy.zz
Sep 7 03:05:19 PANDORA authpriv.info charon: 05[IKE] initiating IKE_SA
airwalk[1] to www.xx.yyy.zz
Sep 7 03:05:19 PANDORA daemon.info charon: 05[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Sep 7 03:05:19 PANDORA daemon.info charon: 05[NET] sending packet: from
aaa.bbb.cc.dd[500] to www.xx.yyy.zz[500]
Sep 7 03:05:19 PANDORA daemon.info charon: 16[NET] received packet: from
www.xx.yyy.zz[500] to aaa.bbb.cc.dd[500]
Sep 7 03:05:19 PANDORA daemon.info charon: 16[ENC] parsed IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Sep 7 03:05:19 PANDORA daemon.info charon: 16[IKE] received cert request
for unknown ca with keyid
a7:00:32:d1:54:ac:72:3d:96:19:5e:fe:2c:6a:db:4d:d4:6a:9e:19
Sep 7 03:05:19 PANDORA daemon.info charon: 16[IKE] authentication of
'aaa.bbb.cc.dd' (myself) with pre-shared key
Sep 7 03:05:19 PANDORA daemon.info charon: 16[IKE] establishing CHILD_SA
airwalk
Sep 7 03:05:19 PANDORA authpriv.info charon: 16[IKE] establishing CHILD_SA
airwalk
Sep 7 03:05:19 PANDORA daemon.info charon: 16[ENC] generating IKE_AUTH
request 1 [ IDi IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Sep 7 03:05:19 PANDORA daemon.info charon: 16[NET] sending packet: from
aaa.bbb.cc.dd[4500] to www.xx.yyy.zz[4500]
Sep 7 03:05:19 PANDORA daemon.info charon: 08[NET] received packet: from
www.xx.yyy.zz[4500] to aaa.bbb.cc.dd[4500]
Sep 7 03:05:19 PANDORA daemon.info charon: 08[ENC] parsed IKE_AUTH response
1 [ IDr AUTH CP SA TSi TSr ]
Sep 7 03:05:19 PANDORA daemon.info charon: 08[IKE] authentication of
'11.com' with pre-shared key successful
Sep 7 03:05:19 PANDORA daemon.info charon: 08[IKE] scheduling rekeying in
215903s
Sep 7 03:05:19 PANDORA daemon.info charon: 08[IKE] maximum IKE_SA lifetime
215963s
Sep 7 03:05:19 PANDORA daemon.info charon: 08[IKE] IKE_SA airwalk[1]
established between aaa.bbb.cc.dd[aaa.bbb.cc.dd]...www.xx.yyy.zz[11.com]
Sep 7 03:05:19 PANDORA authpriv.info charon: 08[IKE] IKE_SA airwalk[1]
established between aaa.bbb.cc.dd[aaa.bbb.cc.dd]...www.xx.yyy.zz[11.com]
Sep 7 03:05:19 PANDORA daemon.info charon: 08[CFG] handling
INTERNAL_IP4_NETMASK attribute failed
Sep 7 03:05:19 PANDORA daemon.info charon: 08[IKE] installing new virtual
IP 192.168.40.78
Sep 7 03:05:19 PANDORA daemon.info charon: 08[IKE] CHILD_SA airwalk{1}
established with SPIs c1e156b1_i 19317b0a_o and TS 192.168.40.78/32 ===
192.168.50.0/24
Sep 7 03:05:19 PANDORA authpriv.info charon: 08[IKE] CHILD_SA airwalk{1}
established with SPIs c1e156b1_i 19317b0a_o and TS 192.168.40.78/32 ===
192.168.50.0/24
Sep 7 04:44:18 PANDORA daemon.info charon: 12[IKE] initiating IKE_SA
airwalk[2] to www.xx.yyy.zz
Sep 7 04:44:18 PANDORA authpriv.info charon: 12[IKE] initiating IKE_SA
airwalk[2] to www.xx.yyy.zz
Sep 7 04:44:18 PANDORA daemon.info charon: 12[ENC] generating
CREATE_CHILD_SA request 2 [ SA No KE ]
Sep 7 04:44:18 PANDORA daemon.info charon: 12[NET] sending packet: from
aaa.bbb.cc.dd[4500] to www.xx.yyy.zz[4500]
Sep 7 04:44:18 PANDORA daemon.info charon: 09[NET] received packet: from
www.xx.yyy.zz[4500] to aaa.bbb.cc.dd[4500]
Sep 7 04:44:18 PANDORA daemon.info charon: 09[ENC] parsed CREATE_CHILD_SA
response 2 [ SA No KE ]
Sep 7 04:44:18 PANDORA daemon.info charon: 09[IKE] scheduling rekeying in
215915s
Sep 7 04:44:18 PANDORA daemon.info charon: 09[IKE] maximum IKE_SA lifetime
215975s
Sep 7 04:44:18 PANDORA daemon.info charon: 09[IKE] IKE_SA airwalk[2]
established between aaa.bbb.cc.dd[aaa.bbb.cc.dd]...www.xx.yyy.zz[11.com]
Sep 7 04:44:18 PANDORA authpriv.info charon: 09[IKE] IKE_SA airwalk[2]
established between aaa.bbb.cc.dd[aaa.bbb.cc.dd]...www.xx.yyy.zz[11.com]
Sep 7 04:44:18 PANDORA daemon.info charon: 09[IKE] deleting IKE_SA
airwalk[1] between aaa.bbb.cc.dd[aaa.bbb.cc.dd]...www.xx.yyy.zz[11.com]
Sep 7 04:44:18 PANDORA authpriv.info charon: 09[IKE] deleting IKE_SA
airwalk[1] between aaa.bbb.cc.dd[aaa.bbb.cc.dd]...www.xx.yyy.zz[11.com]
Sep 7 04:44:18 PANDORA daemon.info charon: 09[IKE] sending DELETE for
IKE_SA airwalk[1]
Sep 7 04:44:18 PANDORA daemon.info charon: 09[ENC] generating INFORMATIONAL
request 3 [ D ]
Sep 7 04:44:18 PANDORA daemon.info charon: 09[NET] sending packet: from
aaa.bbb.cc.dd[4500] to www.xx.yyy.zz[4500]
Sep 7 04:44:18 PANDORA daemon.info charon: 13[NET] received packet: from
www.xx.yyy.zz[4500] to aaa.bbb.cc.dd[4500]
Sep 7 04:44:18 PANDORA daemon.info charon: 13[ENC] parsed INFORMATIONAL
response 3 [ ]
Sep 7 04:44:18 PANDORA daemon.info charon: 13[IKE] IKE_SA deleted
Sep 7 04:44:18 PANDORA authpriv.info charon: 13[IKE] IKE_SA deleted
Sep 7 04:44:18 PANDORA daemon.info charon: 13[IKE] deleting IKE_SA
airwalk[2] between aaa.bbb.cc.dd[aaa.bbb.cc.dd]...www.xx.yyy.zz[11.com]
Sep 7 04:44:18 PANDORA authpriv.info charon: 13[IKE] deleting IKE_SA
airwalk[2] between aaa.bbb.cc.dd[aaa.bbb.cc.dd]...www.xx.yyy.zz[11.com]
Sep 7 04:44:18 PANDORA daemon.info charon: 13[IKE] sending DELETE for
IKE_SA airwalk[2]
Sep 7 04:44:18 PANDORA daemon.info charon: 13[ENC] generating INFORMATIONAL
request 0 [ D ]
Sep 7 04:44:18 PANDORA daemon.info charon: 13[NET] sending packet: from
aaa.bbb.cc.dd[4500] to www.xx.yyy.zz[4500]
Sep 7 04:44:18 PANDORA daemon.info charon: 12[NET] received packet: from
www.xx.yyy.zz[4500] to aaa.bbb.cc.dd[4500]
Sep 7 04:44:18 PANDORA daemon.info charon: 12[ENC] parsed INFORMATIONAL
response 0 [ ]
Sep 7 04:44:18 PANDORA daemon.info charon: 12[IKE] IKE_SA deleted
Sep 7 04:44:18 PANDORA authpriv.info charon: 12[IKE] IKE_SA deleted
Sep 7 04:45:46 PANDORA daemon.info charon: 01[DMN] signal of type SIGINT
received. Shutting down
Sep 7 04:45:46 PANDORA authpriv.warn ipsec_starter[425]: charon stopped
after 200 ms
Sep 7 04:45:46 PANDORA authpriv.warn ipsec_starter[425]: WARNING: cannot
flush IPsec state/policy database
Sep 7 04:45:46 PANDORA authpriv.warn starter[425]: ipsec starter stopped
Sep 7 04:46:02 PANDORA authpriv.warn ipsec_starter[598]: Starting
strongSwan 4.3.3 IPsec [starter]...
Sep 7 04:46:02 PANDORA daemon.info charon: 01[DMN] Starting IKEv2 charon
daemon (strongSwan 4.3.3)
Sep 7 04:46:02 PANDORA daemon.info charon: 01[KNL] listening on interfaces:
Sep 7 04:46:02 PANDORA daemon.info charon: 01[KNL] eth0
Sep 7 04:46:02 PANDORA daemon.info charon: 01[KNL] aaa.bbb.cc.dd
Sep 7 04:46:02 PANDORA daemon.info charon: 01[KNL]
fe80::217:bff:fe00:2038
Sep 7 04:46:02 PANDORA daemon.info charon: 01[CFG] loading ca certificates
from '/etc/ipsec.d/cacerts'
Sep 7 04:46:02 PANDORA daemon.info charon: 01[CFG] loading aa certificates
from '/etc/ipsec.d/aacerts'
Sep 7 04:46:02 PANDORA daemon.info charon: 01[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Sep 7 04:46:02 PANDORA daemon.info charon: 01[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts'
Sep 7 04:46:02 PANDORA daemon.info charon: 01[CFG] loading crls from
'/etc/ipsec.d/crls'
Sep 7 04:46:02 PANDORA daemon.info charon: 01[CFG] loading secrets from
'/etc/ipsec.secrets'
Sep 7 04:46:02 PANDORA daemon.info charon: 01[CFG] loaded IKE secret for
11.com
Sep 7 04:46:02 PANDORA daemon.info charon: 01[DMN] loaded plugins: aes des
sha1 sha2 md5 fips-prf random x509 pubkey xcbc hmac gmp kernel-netlink
stroke updown attr resolv-conf
Sep 7 04:46:02 PANDORA daemon.info charon: 01[JOB] spawning 16 worker
threads
Sep 7 04:46:02 PANDORA authpriv.warn ipsec_starter[605]: charon (606)
started after 60 ms
Sep 7 04:46:02 PANDORA daemon.info charon: 05[CFG] received stroke: add
connection 'airwalk'
Sep 7 04:46:02 PANDORA daemon.info charon: 05[CFG] added configuration
'airwalk'
Sep 7 04:46:02 PANDORA daemon.info charon: 05[CFG] received stroke:
initiate 'airwalk'
Sep 7 04:46:02 PANDORA daemon.info charon: 05[IKE] initiating IKE_SA
airwalk[1] to www.xx.yyy.zz
Sep 7 04:46:02 PANDORA authpriv.info charon: 05[IKE] initiating IKE_SA
airwalk[1] to www.xx.yyy.zz
Sep 7 04:46:02 PANDORA daemon.info charon: 05[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Sep 7 04:46:02 PANDORA daemon.info charon: 05[NET] sending packet: from
aaa.bbb.cc.dd[500] to www.xx.yyy.zz[500]
Sep 7 04:46:02 PANDORA daemon.info charon: 16[NET] received packet: from
www.xx.yyy.zz[500] to aaa.bbb.cc.dd[500]
Sep 7 04:46:02 PANDORA daemon.info charon: 16[ENC] parsed IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Sep 7 04:46:02 PANDORA daemon.info charon: 16[IKE] received cert request
for unknown ca with keyid
a7:00:32:d1:54:ac:72:3d:96:19:5e:fe:2c:6a:db:4d:d4:6a:9e:19
Sep 7 04:46:02 PANDORA daemon.info charon: 16[IKE] authentication of
'aaa.bbb.cc.dd' (myself) with pre-shared key
Sep 7 04:46:02 PANDORA daemon.info charon: 16[IKE] establishing CHILD_SA
airwalk
Sep 7 04:46:02 PANDORA authpriv.info charon: 16[IKE] establishing CHILD_SA
airwalk
Sep 7 04:46:02 PANDORA daemon.info charon: 16[ENC] generating IKE_AUTH
request 1 [ IDi IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Sep 7 04:46:02 PANDORA daemon.info charon: 16[NET] sending packet: from
aaa.bbb.cc.dd[4500] to www.xx.yyy.zz[4500]
Sep 7 04:46:02 PANDORA daemon.info charon: 08[NET] received packet: from
www.xx.yyy.zz[4500] to aaa.bbb.cc.dd[4500]
Sep 7 04:46:02 PANDORA daemon.info charon: 08[ENC] parsed IKE_AUTH response
1 [ IDr AUTH CP SA TSi TSr ]
Sep 7 04:46:02 PANDORA daemon.info charon: 08[IKE] authentication of
'11.com' with pre-shared key successful
Sep 7 04:46:02 PANDORA daemon.info charon: 08[IKE] scheduling rekeying in
215917s
############################################################################
##########
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
plutostart=no
charondebug="ike 1,cfg 1,enc 1, mgr 1, chd 1, knl 1, lib 1, dmn 1"
conn %default
ikelifetime=3600m
keylife=1800m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes-sha-modp1024!
esp=aes-sha!
dpddelay=1m
reauth=no
conn airwalk
left=%defaultroute
leftfirewall=no
leftsourceip=%config
right= www.xx.yyy.zz
rightid=@11.com
rightsubnet=192.168.50.0/24
dpdaction=restart
authby=secret
auto=start
############################################################################
##########
More information about the Users
mailing list