[strongSwan] More than 3 Host-to-any connections fails in IKEV1

Swetha RK rkswetech at gmail.com
Mon Feb 21 05:17:53 CET 2011


Hi,

I'm using strongswan version 4.4.1 & I have 4 IKEV1 Host-to-any connections
with each as the below configurations:

conn conn91
  type=tunnel
  leftsubnet=10.46.155.203/32
  rightsubnet=0.0.0.0/0
  left=10.46.155.203  ( Vlan tunnel endpoint)
  right=192.168.13.4
  keyexchange=ikev1
  ike=aes128-sha1-modp1024!
  ikelifetime=85992s
  esp=null-sha1!
  authby=pubkey
  rightid=%any
  keylife=86400s
  dpdaction=restart
  dpddelay=300
  dpdtimeout=120

conn conn92
......

 conn conn93
......

 conn conn94
.......

I see that the first connections 94,93, 92 are established & while
for connections 91 fails with this error:

   18669 WAR 01:06:45 140ms syslogd.c(134) "pluto[2146]: "conn94" #24:
certificate status unknown"
    18671 WAR 01:06:45 148ms syslogd.c(134) "pluto[2146]: "conn94" #24: we
require peer to have ID '192.168.13.28', but peer declares
'cisco_move_cert at nsn.com'"
    18673 WAR 01:06:45 148ms syslogd.c(134) "pluto[2146]: "conn94" #24:
ISAKMP SA established"
    18675 WAR 01:06:45 149ms syslogd.c(134) "pluto[2146]: "conn94" #25:
initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+UP {using isakmp#24}"
    18677 WAR 01:06:45 152ms syslogd.c(134) "pluto[2146]: "conn94" #25:
ignoring informational payload, type IPSEC_RESPONDER_LIFETIME"
    18679 WAR 01:06:45 152ms syslogd.c(134) "pluto[2146]: "conn94" #25: You
should NOT use insecure ESP algorithms [NULL (0)]!"
    18681 WAR 01:06:45 153ms syslogd.c(134) "pluto[2146]: "conn94" #25:
cannot route -- route already in use for "conn91""
    18724 WAR 01:06:50 153ms syslogd.c(134) "pluto[2146]: "conn94" #25:
ignoring informational payload, type IPSEC_RESPONDER_LIFETIME"
    18726 WAR 01:06:50 154ms syslogd.c(134) "pluto[2146]: "conn94" #25: You
should NOT use insecure ESP algorithms [NULL (0)]!"
    18728 WAR 01:06:50 154ms syslogd.c(134) "pluto[2146]: "conn94" #25:
cannot route -- route already in use for "conn91""
    18843 WAR 01:07:09 843ms syslogd.c(134) "pluto[2146]: "conn93" #22:
ignoring informational payload, type IPSEC_RESPONDER_LIFETIME"
    18845 WAR 01:07:09 845ms syslogd.c(134) "pluto[2146]: "conn93" #22: You
should NOT use insecure ESP algorithms [NULL (0)]!"
    18847 WAR 01:07:09 846ms syslogd.c(134) "pluto[2146]: "conn93" #22:
cannot route -- route already in use for "conn91""
    18849 WAR 01:07:09 846ms syslogd.c(134) "pluto[2146]: "conn92" #23:
ignoring informational payload, type IPSEC_RESPONDER_LIFETIME"
    18851 WAR 01:07:09 846ms syslogd.c(134) "pluto[2146]: "conn92" #23: You
should NOT use insecure ESP algorithms [NULL (0)]!"
    18853 WAR 01:07:09 846ms syslogd.c(134) "pluto[2146]: "conn92" #23:
cannot route -- route already in use for "conn91""
    18871 WAR 01:07:14 226ms syslogd.c(134) "pluto[2146]: "conn93" #21:
received Delete SA payload: deleting ISAKMP State #21"
    18873 WAR 01:07:14 228ms syslogd.c(134) "pluto[2146]: "conn92" #20:
received Delete SA payload: deleting ISAKMP State #20"
    18890 WAR 01:07:15 222ms syslogd.c(134) "pluto[2146]: "conn94" #25:
ignoring informational payload, type IPSEC_RESPONDER_LIFETIME"
    18892 WAR 01:07:15 223ms syslogd.c(134) "pluto[2146]: "conn94" #25: You
should NOT use insecure ESP algorithms [NULL (0)]!"
    18894 WAR 01:07:15 223ms syslogd.c(134) "pluto[2146]: "conn94" #25:
cannot route -- route already in use for "conn91""
    18917 WAR 01:07:19 228ms syslogd.c(134) "pluto[2146]: "conn94" #24:
received Delete SA payload: deleting ISAKMP State #24"

I see that the SA's are getting deleted & re-establish each time with this
error.  This is the ipsec status:

000
000 #4: "conn91" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 85133s; newest IPSEC; eroute owner
000 #4: "conn91" esp.16012697 at 192.168.13.4 (0 bytes)
esp.fdb38409 at 10.46.155.203 (896 bytes, 34s ago); tunnel
000 #1: "conn91" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
84701s; newest ISAKMP; DPD active
000 #28: "conn92" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT
in 14s
000 #26: "conn92" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
84922s; newest ISAKMP; DPD active
000 #29: "conn93" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT
in 14s
000 #27: "conn93" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
84942s; newest ISAKMP; DPD active
000 #31: "conn94" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT
in 0s
000 #30: "conn94" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
85099s; newest ISAKMP; DPD active
000

This is happening only in IKEV1 with more than 3 connections. Please
suggest.



Thanks,
Swetha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110221/fedfc4dc/attachment.html>


More information about the Users mailing list