[strongSwan] Charon and kernel out-of-sync

Mike Spengler mks at foobox.com
Thu Mar 3 06:59:17 CET 2011


Hi,

I'm having a problem where the kernel policies and charons trap list are getting out of
sync (strongswan 4.5.1). It's occuring on a host-host transport connection when the
connection does an IKE_REAUTH task with an existing child SA. The kernel policy's reqid
is getting incremented, but the trap list entry is unchanged. Thus when a later XFRM
acquire comes in with the new reqid, it doesn't find a match on the trap list.

I don't know whether the charon reqid should be getting incremented for a reauth or
whether the policies need to be deleted and readded with the updated reqid. It's easy
for me to recreate, so I can test any fixes or gather more debug if needed.

Thanks for any help.
-mike


The scenario is:
         HOST 1                                HOST 2
                  <establish ike connection>
                       <establish SA (reqid=1)>
			  .
			  .
			  .
			  .
                                              <ike lifetime expires - IKE_REAUTH>
                   <new ike connection>
                       <new SA (reqid=2)>
			  .
			  .
			  .
  <reboot host 1>
                                              <SA deleted>
  <host 1 up>
                                              <ping6 host1>
                                                    XFRM acquire reqid=2
							-> no match


This is HOST-2's ipsec.conf. HOST-1 is the same (with left/right flipped).
config setup
         dumpdir=
         strictcrlpolicy=no
         uniqueids=yes
         plutostart=no
         charonstart=yes
conn %default
         auth=esp
         auto=route
         dpdaction=hold
         keyexchange=ikev2
         leftfirewall=no
         mobike=no
conn Policy_S0P0ipsec0sa0
         esp=3des-sha1!
         ike=3des-sha1-modp1024!
         ikelifetime=3600s
         keylife=1800s
         rekey=yes
         type=transport
         left=fd70:c154:c2df:83:2c0:ddff:fe12:cdd4
         right=fd70:c154:c2df:83:2c0:ddff:fe0d:53e6
         leftauth=psk
         rightauth=psk

Here's some data from HOST-2 after the problem has occurred:

[root at hsb3800-2 conf]# ip x m
acquire proto esp
   sel src fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 dst fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 proto ipv6-icmp type 128 code 0
   policy src fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 dst fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128
         dir out priority 1027 ptype main
         tmpl src :: dst ::
                 proto esp reqid 2 mode transport


[root at hsb3800-2 TRAP2]# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.1):
   uptime: 104 minutes, since Mar 02 23:05:35 2011
   malloc: sbrk 151552, mmap 0, used 83064, free 68488
   worker threads: 1 idle of 8, job queue load: 0, scheduled events: 0
   loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac ctr kernel-netlink socket-default stroke
Listening IP addresses:
   10.20.83.97
   fd70:c154:c2df:83:2c0:ddff:fe12:cdd4
Connections:
Policy_S0P0ipsec0sa0:  fd70:c154:c2df:83:2c0:ddff:fe12:cdd4...fd70:c154:c2df:83:2c0:ddff:fe0d:53e6, dpddelay=30s
Policy_S0P0ipsec0sa0:   local:  [fd70:c154:c2df:83:2c0:ddff:fe12:cdd4] uses pre-shared key authentication
Policy_S0P0ipsec0sa0:   remote: [fd70:c154:c2df:83:2c0:ddff:fe0d:53e6] uses pre-shared key authentication
Policy_S0P0ipsec0sa0:   child:  dynamic === dynamic , dpdaction=hold
Routed Connections:
Policy_S0P0ipsec0sa0{1}:  ROUTED, TRANSPORT
Policy_S0P0ipsec0sa0{1}:   fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 === fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128
Security Associations:
   none

[root at hsb3800-2 TRAP2]# ip x p
src fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 dst fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128
         dir in priority 1027 ptype main
         tmpl src :: dst ::
                 proto esp reqid 2 mode transport
src fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 dst fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128
         dir out priority 1027 ptype main
         tmpl src :: dst ::
                 proto esp reqid 2 mode transport

logfile (w/ a few extra DBG's added)
-------
Mar  2 23:48:50 switch charon: 08[JOB] got event, queuing job for execution
Mar  2 23:48:50 switch charon: 08[JOB] next event in 14s 512ms, waiting
Mar  2 23:48:50 switch charon: 07[MGR] checkout IKE_SA
Mar  2 23:48:50 switch charon: 07[MGR] IKE_SA Policy_S0P0ipsec0sa0[1] successfully checked out
Mar  2 23:48:50 switch charon: 07[IKE] <Policy_S0P0ipsec0sa0|1> reauth.1490:
Mar  2 23:48:50 switch charon: 07[IKE] <Policy_S0P0ipsec0sa0|1> queueing IKE_REAUTH task
Mar  2 23:48:50 switch charon: 07[IKE] <Policy_S0P0ipsec0sa0|1> activating new tasks
Mar  2 23:48:50 switch charon: 07[IKE] <Policy_S0P0ipsec0sa0|1>   activating IKE_REAUTH task
Mar  2 23:48:50 switch charon: 07[IKE] <Policy_S0P0ipsec0sa0|1> deleting IKE_SA Policy_S0P0ipsec0sa0[1] between 
fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[fd70:c154:c2df:83:2c0:ddff:fe12:cdd4]...fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[fd70:c154:c2df:83:2c0:ddff:fe0d:53e6]
Mar  2 23:48:50 switch charon: 07[IKE] <Policy_S0P0ipsec0sa0|1> IKE_SA Policy_S0P0ipsec0sa0[1] state change: ESTABLISHED => DELETING
Mar  2 23:48:50 switch charon: 08[JOB] next event in 14s 473ms, waiting
Mar  2 23:48:50 switch charon: 07[IKE] <Policy_S0P0ipsec0sa0|1> sending DELETE for IKE_SA Policy_S0P0ipsec0sa0[1]
Mar  2 23:48:50 switch charon: 07[ENC] <Policy_S0P0ipsec0sa0|1> generating INFORMATIONAL request 12 [ D ]
Mar  2 23:48:50 switch charon: 07[NET] <Policy_S0P0ipsec0sa0|1> sending packet: from fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[500] to fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[500]
Mar  2 23:48:50 switch charon: 08[JOB] next event in 3s 999ms, waiting
Mar  2 23:48:50 switch charon: 07[MGR] <Policy_S0P0ipsec0sa0|1> checkin IKE_SA Policy_S0P0ipsec0sa0[1]
Mar  2 23:48:50 switch charon: 07[MGR] <Policy_S0P0ipsec0sa0|1> check-in of IKE_SA successful.
Mar  2 23:48:50 switch charon: 04[NET] sending packet: from fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[500] to fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[500]
Mar  2 23:48:50 switch charon: 05[NET] received packet: from fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[500] to fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[500]
Mar  2 23:48:50 switch charon: 05[NET] waiting for data on sockets
Mar  2 23:48:50 switch charon: 06[MGR] checkout IKE_SA by message
Mar  2 23:48:50 switch charon: 06[MGR] IKE_SA Policy_S0P0ipsec0sa0[1] successfully checked out
Mar  2 23:48:50 switch charon: 06[NET] <Policy_S0P0ipsec0sa0|1> received packet: from fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[500] to fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[500]
Mar  2 23:48:50 switch charon: 06[ENC] <Policy_S0P0ipsec0sa0|1> parsed INFORMATIONAL response 12 [ ]
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> update_hosts.833:
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> IKE_SA deleted
Mar  2 23:48:50 switch charon: 06[MGR] <Policy_S0P0ipsec0sa0|1> created IKE_SA (unnamed)[2]
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> initiate.1097:
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> queueing IKE_VENDOR task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> queueing IKE_INIT task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> queueing IKE_NATD task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> queueing IKE_CERT_PRE task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> queueing IKE_AUTHENTICATE task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> queueing IKE_CERT_POST task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> queueing IKE_CONFIG task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> queueing IKE_AUTH_LIFETIME task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> queueing CHILD_CREATE task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> activating new tasks
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1>   activating IKE_VENDOR task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1>   activating IKE_INIT task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1>   activating IKE_NATD task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1>   activating IKE_CERT_PRE task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1>   activating IKE_AUTHENTICATE task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1>   activating IKE_CERT_POST task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1>   activating IKE_CONFIG task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1>   activating CHILD_CREATE task
Mar  2 23:48:50 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1>   activating IKE_AUTH_LIFETIME task
Mar  2 23:48:51 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> initiating IKE_SA Policy_S0P0ipsec0sa0[2] to fd70:c154:c2df:83:2c0:ddff:fe0d:53e6
Mar  2 23:48:51 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> IKE_SA Policy_S0P0ipsec0sa0[2] state change: CREATED => CONNECTING
Mar  2 23:48:51 switch charon: 06[LIB] <Policy_S0P0ipsec0sa0|1> size of DH secret exponent: 1022 bits
Mar  2 23:48:51 switch charon: 06[ENC] <Policy_S0P0ipsec0sa0|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar  2 23:48:51 switch charon: 06[NET] <Policy_S0P0ipsec0sa0|1> sending packet: from fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[500] to fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[500]
Mar  2 23:48:51 switch charon: 04[NET] sending packet: from fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[500] to fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[500]
Mar  2 23:48:51 switch charon: 08[JOB] next event in 3s 710ms, waiting
Mar  2 23:48:51 switch charon: 06[MGR] <Policy_S0P0ipsec0sa0|1> checkin IKE_SA Policy_S0P0ipsec0sa0[2]
Mar  2 23:48:51 switch charon: 06[MGR] <Policy_S0P0ipsec0sa0|1> checkin and destroy IKE_SA Policy_S0P0ipsec0sa0[1]
Mar  2 23:48:51 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> destroy.1996:
Mar  2 23:48:51 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|1> IKE_SA Policy_S0P0ipsec0sa0[1] state change: DELETING => DESTROYING
Mar  2 23:48:51 switch charon: 06[CHD] <Policy_S0P0ipsec0sa0|1> destroy.915:
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|1> deleting SAD entry with SPI c698b6c8
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|1> deleted SAD entry with SPI c698b6c8
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|1> deleting SAD entry with SPI c0daf98b
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|1> deleted SAD entry with SPI c0daf98b
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|1> deleting policy fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 === fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 out
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|1> policy still used by another CHILD_SA, not removed
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|1> deleting policy fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 === fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 in
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|1> policy still used by another CHILD_SA, not removed
Mar  2 23:48:51 switch charon: 06[MGR] check-in and destroy of IKE_SA successful
Mar  2 23:48:51 switch charon: 05[NET] received packet: from fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[500] to fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[500]
Mar  2 23:48:51 switch charon: 05[NET] waiting for data on sockets
Mar  2 23:48:51 switch charon: 07[MGR] checkout IKE_SA by message
Mar  2 23:48:51 switch charon: 07[MGR] IKE_SA Policy_S0P0ipsec0sa0[2] successfully checked out
Mar  2 23:48:51 switch charon: 07[NET] <Policy_S0P0ipsec0sa0|2> received packet: from fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[500] to fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[500]
Mar  2 23:48:51 switch charon: 07[ENC] <Policy_S0P0ipsec0sa0|2> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Mar  2 23:48:51 switch charon: 07[IKE] <Policy_S0P0ipsec0sa0|2> update_hosts.833:
Mar  2 23:48:51 switch charon: 07[CFG] <Policy_S0P0ipsec0sa0|2> selecting proposal:
Mar  2 23:48:51 switch charon: 07[CFG] <Policy_S0P0ipsec0sa0|2>   proposal matches
Mar  2 23:48:51 switch charon: 07[CFG] <Policy_S0P0ipsec0sa0|2> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar  2 23:48:51 switch charon: 07[CFG] <Policy_S0P0ipsec0sa0|2> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar  2 23:48:51 switch charon: 07[CFG] <Policy_S0P0ipsec0sa0|2> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar  2 23:48:51 switch charon: 07[IKE] <Policy_S0P0ipsec0sa0|2> reinitiating already active tasks
Mar  2 23:48:51 switch charon: 07[IKE] <Policy_S0P0ipsec0sa0|2>   IKE_CERT_PRE task
Mar  2 23:48:51 switch charon: 07[IKE] <Policy_S0P0ipsec0sa0|2>   IKE_AUTHENTICATE task
Mar  2 23:48:51 switch charon: 07[IKE] <Policy_S0P0ipsec0sa0|2> authentication of 'fd70:c154:c2df:83:2c0:ddff:fe12:cdd4' (myself) with pre-shared key
Mar  2 23:48:51 switch charon: 07[IKE] <Policy_S0P0ipsec0sa0|2> successfully created shared key MAC
Mar  2 23:48:51 switch charon: 07[IKE] <Policy_S0P0ipsec0sa0|2> establishing CHILD_SA Policy_S0P0ipsec0sa0
Mar  2 23:48:51 switch charon: 07[CFG] <Policy_S0P0ipsec0sa0|2> proposing traffic selectors for us:
Mar  2 23:48:51 switch charon: 07[CFG] <Policy_S0P0ipsec0sa0|2>  fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 (derived from dynamic)
Mar  2 23:48:51 switch charon: 07[CFG] <Policy_S0P0ipsec0sa0|2> proposing traffic selectors for other:
Mar  2 23:48:51 switch charon: 07[CFG] <Policy_S0P0ipsec0sa0|2>  fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 (derived from dynamic)
Mar  2 23:48:51 switch charon: 07[CHD] <Policy_S0P0ipsec0sa0|2> child_sa_create.1029: reqid=0 rekey=0 reqid=1
Mar  2 23:48:51 switch charon: 07[KNL] <Policy_S0P0ipsec0sa0|2> getting SPI for reqid {2}
Mar  2 23:48:51 switch charon: 07[KNL] <Policy_S0P0ipsec0sa0|2> got SPI cb48d316 for reqid {2}
Mar  2 23:48:51 switch charon: 07[ENC] <Policy_S0P0ipsec0sa0|2> generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Mar  2 23:48:51 switch charon: 07[NET] <Policy_S0P0ipsec0sa0|2> sending packet: from fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[500] to fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[500]
Mar  2 23:48:51 switch charon: 04[NET] sending packet: from fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[500] to fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[500]
Mar  2 23:48:51 switch charon: 08[JOB] next event in 3s 394ms, waiting
Mar  2 23:48:51 switch charon: 07[MGR] <Policy_S0P0ipsec0sa0|2> checkin IKE_SA Policy_S0P0ipsec0sa0[2]
Mar  2 23:48:51 switch charon: 07[MGR] <Policy_S0P0ipsec0sa0|2> check-in of IKE_SA successful.
Mar  2 23:48:51 switch charon: 05[NET] received packet: from fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[500] to fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[500]
Mar  2 23:48:51 switch charon: 05[NET] waiting for data on sockets
Mar  2 23:48:51 switch charon: 06[MGR] checkout IKE_SA by message
Mar  2 23:48:51 switch charon: 06[MGR] IKE_SA Policy_S0P0ipsec0sa0[2] successfully checked out
Mar  2 23:48:51 switch charon: 06[NET] <Policy_S0P0ipsec0sa0|2> received packet: from fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[500] to fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[500]
Mar  2 23:48:51 switch charon: 06[ENC] <Policy_S0P0ipsec0sa0|2> parsed IKE_AUTH response 1 [ IDr AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) ]
Mar  2 23:48:51 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> update_hosts.833:
Mar  2 23:48:51 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> received USE_TRANSPORT_MODE notify
Mar  2 23:48:51 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> authentication of 'fd70:c154:c2df:83:2c0:ddff:fe0d:53e6' with pre-shared key successful
Mar  2 23:48:51 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> IKE_SA Policy_S0P0ipsec0sa0[2] established between 
fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[fd70:c154:c2df:83:2c0:ddff:fe12:cdd4]...fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[fd70:c154:c2df:83:2c0:ddff:fe0d:53e6]
Mar  2 23:48:51 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> IKE_SA Policy_S0P0ipsec0sa0[2] state change: CONNECTING => ESTABLISHED
Mar  2 23:48:51 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> scheduling reauthentication in 2912s
Mar  2 23:48:51 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> maximum IKE_SA lifetime 3452s
Mar  2 23:48:51 switch charon: 06[CFG] <Policy_S0P0ipsec0sa0|2> selecting proposal:
Mar  2 23:48:51 switch charon: 06[CFG] <Policy_S0P0ipsec0sa0|2>   proposal matches
Mar  2 23:48:51 switch charon: 06[CFG] <Policy_S0P0ipsec0sa0|2> received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Mar  2 23:48:51 switch charon: 06[CFG] <Policy_S0P0ipsec0sa0|2> configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Mar  2 23:48:51 switch charon: 06[CFG] <Policy_S0P0ipsec0sa0|2> selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Mar  2 23:48:51 switch charon: 06[CFG] <Policy_S0P0ipsec0sa0|2> selecting traffic selectors for us:
Mar  2 23:48:51 switch charon: 06[CFG] <Policy_S0P0ipsec0sa0|2>  config: fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128, received: fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 => match: 
fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128
Mar  2 23:48:51 switch charon: 06[CFG] <Policy_S0P0ipsec0sa0|2> selecting traffic selectors for other:
Mar  2 23:48:51 switch charon: 06[CFG] <Policy_S0P0ipsec0sa0|2>  config: fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128, received: fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 => match: 
fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128
Mar  2 23:48:51 switch charon: 06[CHD] <Policy_S0P0ipsec0sa0|2>   using 3DES_CBC for encryption
Mar  2 23:48:51 switch charon: 06[CHD] <Policy_S0P0ipsec0sa0|2>   using HMAC_SHA1_96 for integrity
Mar  2 23:48:51 switch charon: 06[CHD] <Policy_S0P0ipsec0sa0|2> adding inbound ESP SA
Mar  2 23:48:51 switch charon: 06[CHD] <Policy_S0P0ipsec0sa0|2>   SPI 0xcb48d316, src fd70:c154:c2df:83:2c0:ddff:fe0d:53e6 dst fd70:c154:c2df:83:2c0:ddff:fe12:cdd4
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2> adding SAD entry with SPI cb48d316 and reqid {2}
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2>   using encryption algorithm 3DES_CBC with key size 192
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2>   using integrity algorithm HMAC_SHA1_96 with key size 160
Mar  2 23:48:51 switch charon: 06[CHD] <Policy_S0P0ipsec0sa0|2> adding outbound ESP SA
Mar  2 23:48:51 switch charon: 06[CHD] <Policy_S0P0ipsec0sa0|2>   SPI 0xcedd9e58, src fd70:c154:c2df:83:2c0:ddff:fe12:cdd4 dst fd70:c154:c2df:83:2c0:ddff:fe0d:53e6
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2> adding SAD entry with SPI cedd9e58 and reqid {2}
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2>   using encryption algorithm 3DES_CBC with key size 192
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2>   using integrity algorithm HMAC_SHA1_96 with key size 160
Mar  2 23:48:51 switch charon: 06[CHD] <Policy_S0P0ipsec0sa0|2> add_policies.666:
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2> policy fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 === fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 out already exists, increasing refcount
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2> adding policy fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 === fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 out
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2> policy fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 === fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 in already exists, increasing refcount
Mar  2 23:48:51 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2> adding policy fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 === fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 in
Mar  2 23:48:51 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> CHILD_SA Policy_S0P0ipsec0sa0{2} established with SPIs cb48d316_i cedd9e58_o and TS fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 === 
fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128
Mar  2 23:48:51 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> received AUTH_LIFETIME of 2660s, scheduling reauthentication in 2120s
Mar  2 23:48:51 switch charon: 08[JOB] next event in 3s 96ms, waiting
Mar  2 23:48:51 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> activating new tasks
Mar  2 23:48:51 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> nothing to initiate
Mar  2 23:48:51 switch charon: 06[MGR] <Policy_S0P0ipsec0sa0|2> checkin IKE_SA Policy_S0P0ipsec0sa0[2]
Mar  2 23:48:51 switch charon: 06[MGR] <Policy_S0P0ipsec0sa0|2> check-in of IKE_SA successful.


<HOST-1 is rebooted here>


Mar  2 23:56:37 switch charon: 05[NET] received packet: from fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[500] to fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[500]
Mar  2 23:56:37 switch charon: 06[MGR] checkout IKE_SA by message
Mar  2 23:56:37 switch charon: 06[MGR] IKE_SA Policy_S0P0ipsec0sa0[2] successfully checked out
Mar  2 23:56:37 switch charon: 06[NET] <Policy_S0P0ipsec0sa0|2> received packet: from fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[500] to fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[500]
Mar  2 23:56:37 switch charon: 06[ENC] <Policy_S0P0ipsec0sa0|2> parsed INFORMATIONAL request 15 [ D ]
Mar  2 23:56:37 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> update_hosts.833:
Mar  2 23:56:37 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> received DELETE for IKE_SA Policy_S0P0ipsec0sa0[2]
Mar  2 23:56:37 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> deleting IKE_SA Policy_S0P0ipsec0sa0[2] between 
fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[fd70:c154:c2df:83:2c0:ddff:fe12:cdd4]...fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[fd70:c154:c2df:83:2c0:ddff:fe0d:53e6]
Mar  2 23:56:37 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> IKE_SA Policy_S0P0ipsec0sa0[2] state change: ESTABLISHED => DELETING
Mar  2 23:56:37 switch charon: 08[JOB] next event in 13s 727ms, waiting
Mar  2 23:56:37 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> reestablish.1534:
Mar  2 23:56:37 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> reestablish.1547: state=5 action=1
Mar  2 23:56:37 switch charon: 06[CFG] <Policy_S0P0ipsec0sa0|2> CHILD_SA named 'Policy_S0P0ipsec0sa0' already routed
Mar  2 23:56:37 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> IKE_SA deleted
Mar  2 23:56:37 switch charon: 06[ENC] <Policy_S0P0ipsec0sa0|2> generating INFORMATIONAL response 15 [ ]
Mar  2 23:56:37 switch charon: 06[NET] <Policy_S0P0ipsec0sa0|2> sending packet: from fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[500] to fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[500]
Mar  2 23:56:37 switch charon: 06[MGR] <Policy_S0P0ipsec0sa0|2> checkin and destroy IKE_SA Policy_S0P0ipsec0sa0[2]
Mar  2 23:56:37 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> destroy.1996:
Mar  2 23:56:37 switch charon: 06[IKE] <Policy_S0P0ipsec0sa0|2> IKE_SA Policy_S0P0ipsec0sa0[2] state change: DELETING => DESTROYING
Mar  2 23:56:37 switch charon: 06[CHD] <Policy_S0P0ipsec0sa0|2> destroy.915:
Mar  2 23:56:37 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2> deleting SAD entry with SPI cb48d316
Mar  2 23:56:37 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2> deleted SAD entry with SPI cb48d316
Mar  2 23:56:37 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2> deleting SAD entry with SPI cedd9e58
Mar  2 23:56:37 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2> deleted SAD entry with SPI cedd9e58
Mar  2 23:56:37 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2> deleting policy fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 === fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 out
Mar  2 23:56:37 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2> policy still used by another CHILD_SA, not removed
Mar  2 23:56:37 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2> deleting policy fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 === fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 in
Mar  2 23:56:37 switch charon: 06[KNL] <Policy_S0P0ipsec0sa0|2> policy still used by another CHILD_SA, not removed
Mar  2 23:56:37 switch charon: 06[MGR] check-in and destroy of IKE_SA successful
Mar  2 23:56:37 switch charon: 04[NET] sending packet: from fd70:c154:c2df:83:2c0:ddff:fe12:cdd4[500] to fd70:c154:c2df:83:2c0:ddff:fe0d:53e6[500]
Mar  2 23:56:37 switch charon: 05[NET] waiting for data on sockets
Mar  2 23:56:50 switch charon: 08[JOB] got event, queuing job for execution
Mar  2 23:56:50 switch charon: 08[JOB] next event in 16s 271ms, waiting
Mar  2 23:56:50 switch charon: 07[MGR] checkout IKE_SA
Mar  2 23:56:57 switch charon: 06[CFG] proposing traffic selectors for us:
Mar  2 23:56:57 switch charon: 06[CFG]  dynamic (derived from dynamic)
Mar  2 23:56:57 switch charon: 06[CFG] proposing traffic selectors for other:
Mar  2 23:56:57 switch charon: 06[CFG]  dynamic (derived from dynamic)
Mar  2 23:57:07 switch charon: 08[JOB] got event, queuing job for execution
Mar  2 23:57:07 switch charon: 06[MGR] checkout IKE_SA
Mar  2 23:57:07 switch charon: 08[JOB] next event in 188s 339ms, waiting
Mar  2 23:59:09 switch charon: 06[CFG] proposing traffic selectors for us:
Mar  2 23:59:09 switch charon: 06[CFG]  dynamic (derived from dynamic)
Mar  2 23:59:09 switch charon: 06[CFG] proposing traffic selectors for other:
Mar  2 23:59:09 switch charon: 06[CFG]  dynamic (derived from dynamic)


<ping6 from HOST-2 to HOST-1>


Mar  2 23:59:23 switch charon: 01[KNL] received a XFRM_MSG_ACQUIRE
Mar  2 23:59:23 switch charon: 01[KNL]   XFRMA_TMPL
Mar  2 23:59:23 switch charon: 01[KNL] creating acquire job for policy fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128[ipv6-icmp/128] === fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128[ipv6-icmp] with reqid {2}
Mar  2 23:59:23 switch charon: 03[CFG] acquiring trap: request reqid=2; entry: name=Policy_S0P0ipsec0sa0 reqid=1
Mar  2 23:59:23 switch charon: 03[CFG] trap not found, unable to acquire reqid 2
Mar  3 00:00:15 switch charon: 08[JOB] got event, queuing job for execution
Mar  3 00:00:15 switch charon: 08[JOB] next event in 539s 991ms, waiting
Mar  3 00:00:15 switch charon: 07[MGR] checkout IKE_SA
Mar  3 00:00:15 switch charon: 07[JOB] IKE_SA to rekey not found





More information about the Users mailing list