[strongSwan] route disappears on PPP renegotiation - new bug report
Mirko Parthey
mirko.parthey at informatik.tu-chemnitz.de
Fri Nov 11 00:20:13 CET 2011
On Thu, Nov 10, 2011 at 06:13:59PM +0100, Tobias Brunner wrote:
> > At 18:49:25, the route to 192.168.0.2 does exist,
> > but charon hasn't noticed it.
>
> Well, charon does notice that the interface comes up again. But the
> issue here is that the IP address doesn't change. What happens is that
> charon sees that the interface goes down, tries to find a new route,
> doesn't find one and defers any further updates. Now, when the
> interface comes back up again, charon does indeed notice it, but since
> the IP is the same as before there is no need for it to trigger the
> MOBIKE process and update the installed SA/policies and, thus, does not
> retrigger the installation of the route. The solution to this problem
> would require a change in how the routes are managed in charon.
> Currently every installed forward policy manages some metadata about the
> route installed together with it. But there is no global list of
> installed routes. The latter would help in this case as we could simply
> reinstall all installed routes on reactivated interfaces. I can't give
> you an ETA for a solution at the moment, but if this is a real issue for
> you, there might be some hackish workarounds, e.g. triggering MOBIKE
> updates even if not really needed. Patches for a proper solution are
> welcome too.
Hi Tobias,
Thanks for your detailed explanation.
I am trying to set up a tunnel between two home LANs. There is no time
pressure, so I am not interested in hackish workarounds for now.
I wasn't aware that MOBIKE is needed to reinstall the route,
so I had run this test with MOBIKE disabled, even though I am planning to
enable it in my real-life use case.
In my effort to provide a simple test case for you to reproduce,
I failed to show the bug I care about, but unknowingly reported a
different one, which may not even affect me. Sorry about that.
I'll try again here:
- set up ikev2/net2net-cert as before, but with MOBIKE enabled
(ipsec.conf attached)
- replace the ethernet link between moon and sun by PPP
- start the IPsec tunnel, route is OK
Now comes the interesting part:
- change the IP address of moon's end of the point-to-point link,
using the ip tool on both moon and sun (see typescript),
without triggering PPP renegotiation
-> MOBIKE is successful, route is OK
- now change back to the original IP address by triggering PPP
renegotiation
-> route is gone
I suspect (but haven't verified) that the PPP interface gets deleted
during PPP renegotiation, and then reappears with the same name, but a
different ifindex. Charon then has the old ifindex still cached and
tries to use it for setting the route, which fails.
Nov 10 21:28:36 moon charon: 16[KNL] getting iface index for ppp0
Nov 10 21:28:36 moon charon: 16[KNL] received netlink error: No such process (3)
(whole daemon.log is attached)
There is a comment in kernel_netlink_net.c which looks suspicious:
/* we do not remove it, as an address may be added to a
* "down" interface and we wan't [sic!] to know that. */
Charon should probably distinguish between an interface going down
and an interface disappering completely, and discard its cache entry in
the latter case. Sorry, no patch today.
Thanks for your great work,
Mirko
-------------- next part --------------
Script started on Do 10 Nov 2011 21:25:37 CET
root at moon:~# ip addr ls dev ppp0
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 3
link/ppp
inet 192.168.0.1 peer 192.168.0.2/32 scope global ppp0
root at moon:~# date; ip route ls
Do 10. Nov 21:25:58 CET 2011
192.168.0.2 dev ppp0 proto kernel scope link src 192.168.0.1
10.1.0.0/16 dev eth1 proto kernel scope link src 10.1.0.1
root at moon:~# date; ip route ls table 220
Do 10. Nov 21:26:00 CET 2011
10.2.0.0/16 via 192.168.0.2 dev ppp0 proto static src 10.1.0.1
root at moon:~# ip addr del 192.168.0.1 peer 192.168.0.2/32 dev ppp0; ip addr add 192.168.0.11 peer 192.168.0.2/32 dev ppp0
root at moon:~# date; ip route ls
Do 10. Nov 21:27:15 CET 2011
192.168.0.2 dev ppp0 proto kernel scope link src 192.168.0.11
10.1.0.0/16 dev eth1 proto kernel scope link src 10.1.0.1
root at moon:~# date; ip route ls table 220
Do 10. Nov 21:27:17 CET 2011
10.2.0.0/16 via 192.168.0.2 dev ppp0 proto static src 10.1.0.1
root at moon:~# killall -HUP pppd
root at moon:~# date; ip addr ls dev ppp0
Do 10. Nov 21:28:58 CET 2011
6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 3
link/ppp
inet 192.168.0.1 peer 192.168.0.2/32 scope global ppp0
root at moon:~# date; ip route ls
Do 10. Nov 21:29:06 CET 2011
192.168.0.2 dev ppp0 proto kernel scope link src 192.168.0.1
10.1.0.0/16 dev eth1 proto kernel scope link src 10.1.0.1
root at moon:~# date; ip route ls table 220
Do 10. Nov 21:29:08 CET 2011
root at moon:~# ipsec stop
Stopping strongSwan IPsec...
root at moon:~# exit
Script done on Do 10 Nov 2011 21:30:00 CET
-------------- next part --------------
Script started on Do 10 Nov 2011 21:25:48 CET
root at sun:~# ip addr ls dev ppp0
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 3
link/ppp
inet 192.168.0.2 peer 192.168.0.1/32 scope global ppp0
root at sun:~# date; ip route ls
Do 10. Nov 21:26:17 CET 2011
192.168.0.1 dev ppp0 proto kernel scope link src 192.168.0.2
10.2.0.0/16 dev eth1 proto kernel scope link src 10.2.0.1
root at sun:~# date; ip route ls table 220
Do 10. Nov 21:26:18 CET 2011
10.1.0.0/16 via 192.168.0.1 dev ppp0 proto static src 10.2.0.1
root at sun:~# ip addr del 192.168.0.2 peer 192.168.0.1/32 dev ppp0; ip addr add 192.168.0.2 peer 192.168.0.11/32 dev ppp0
root at sun:~# date; ip route ls
Do 10. Nov 21:27:28 CET 2011
192.168.0.11 dev ppp0 proto kernel scope link src 192.168.0.2
10.2.0.0/16 dev eth1 proto kernel scope link src 10.2.0.1
root at sun:~# date; ip route ls table 220
Do 10. Nov 21:27:30 CET 2011
10.1.0.0/16 via 192.168.0.11 dev ppp0 proto static src 10.2.0.1
root at sun:~# date; ip addr ls dev ppp0
Do 10. Nov 21:29:25 CET 2011
6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 3
link/ppp
inet 192.168.0.2 peer 192.168.0.1/32 scope global ppp0
root at sun:~# date; ip route ls
Do 10. Nov 21:29:32 CET 2011
192.168.0.1 dev ppp0 proto kernel scope link src 192.168.0.2
10.2.0.0/16 dev eth1 proto kernel scope link src 10.2.0.1
root at sun:~# date; ip route ls table 220
Do 10. Nov 21:29:33 CET 2011
root at sun:~# ipsec stop
Stopping strongSwan IPsec...
root at sun:~# exit
Script done on Do 10 Nov 2011 21:30:04 CET
-------------- next part --------------
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
charondebug="knl 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=yes
conn net-net
left=192.168.0.1
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
leftfirewall=yes
right=192.168.0.2
rightid=@sun.strongswan.org
rightsubnet=10.2.0.0/16
auto=add
-------------- next part --------------
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=yes
conn net-net
left=192.168.0.2
leftcert=sunCert.pem
leftid=@sun.strongswan.org
leftsubnet=10.2.0.0/16
leftfirewall=yes
right=192.168.0.1
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
auto=add
-------------- next part --------------
Nov 10 21:18:07 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.0)
Nov 10 21:18:09 moon charon: 00[KNL] listening on interfaces:
Nov 10 21:18:09 moon charon: 00[KNL] eth1
Nov 10 21:18:09 moon charon: 00[KNL] 10.1.0.1
Nov 10 21:18:09 moon charon: 00[KNL] fe80::5054:ff:fe71:c0d7
Nov 10 21:18:09 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 10 21:18:10 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 10 21:18:10 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 10 21:18:10 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 10 21:18:10 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 10 21:18:10 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 10 21:18:10 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 10 21:18:10 moon charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Nov 10 21:18:10 moon charon: 00[CFG] sql plugin: database URI not set
Nov 10 21:18:10 moon charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
Nov 10 21:18:10 moon charon: 00[CFG] loaded 0 RADIUS server configurations
Nov 10 21:18:10 moon charon: 00[LIB] plugin 'eap-tnc' failed to load: /usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so: undefined symbol: tnc
Nov 10 21:18:10 moon charon: 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file: No such file or directory
Nov 10 21:18:10 moon charon: 00[CFG] mediation client database URI not defined, skipped
Nov 10 21:18:10 moon charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL
Nov 10 21:18:10 moon charon: 00[LIB] plugin 'nm' failed to load: /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file: No such file or directory
Nov 10 21:18:10 moon charon: 00[CFG] HA config misses local/remote address
Nov 10 21:18:10 moon charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Nov 10 21:18:10 moon charon: 00[LIB] feature PRF:PRF_CAMELLIA128_XCBC in 'xcbc' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Nov 10 21:18:10 moon charon: 00[LIB] feature SIGNER:CAMELLIA_XCBC_96 in 'xcbc' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Nov 10 21:18:10 moon charon: 00[LIB] feature CRYPTER:CAMELLIA_CTR-16 in 'ctr' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Nov 10 21:18:10 moon charon: 00[LIB] feature CRYPTER:CAMELLIA_CTR-24 in 'ctr' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-24
Nov 10 21:18:10 moon charon: 00[LIB] feature CRYPTER:CAMELLIA_CTR-32 in 'ctr' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-32
Nov 10 21:18:10 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_8-16 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Nov 10 21:18:10 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_8-24 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-24
Nov 10 21:18:10 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_8-32 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-32
Nov 10 21:18:10 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_12-16 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Nov 10 21:18:10 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_12-24 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-24
Nov 10 21:18:10 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_12-32 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-32
Nov 10 21:18:10 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_16-16 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Nov 10 21:18:10 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_16-24 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-24
Nov 10 21:18:10 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_16-32 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-32
Nov 10 21:18:10 moon charon: 00[DMN] loaded plugins: test-vectors curl ldap pkcs11 aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls dhcp led addrblock
Nov 10 21:18:10 moon charon: 00[JOB] spawning 16 worker threads
Nov 10 21:18:10 moon charon: 10[CFG] received stroke: add connection 'net-net'
Nov 10 21:18:10 moon charon: 10[KNL] getting interface name for 192.168.0.2
Nov 10 21:18:10 moon charon: 10[KNL] 192.168.0.2 is not a local address
Nov 10 21:18:10 moon charon: 10[KNL] getting interface name for 192.168.0.1
Nov 10 21:18:10 moon charon: 10[KNL] 192.168.0.1 is not a local address
Nov 10 21:18:10 moon charon: 10[CFG] left nor right host is our side, assuming left=local
Nov 10 21:18:10 moon charon: 10[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 10 21:18:10 moon charon: 10[CFG] added configuration 'net-net'
Nov 10 21:18:16 moon acpid: starting up with netlink and the input layer
Nov 10 21:18:16 moon acpid: 1 rule loaded
Nov 10 21:18:16 moon acpid: waiting for events: event logging is off
Nov 10 21:22:14 moon charon: 03[KNL] 192.168.0.1 appeared on ppp0
Nov 10 21:22:14 moon charon: 03[KNL] 192.168.0.1 disappeared from ppp0
Nov 10 21:22:14 moon charon: 03[KNL] 192.168.0.1 appeared on ppp0
Nov 10 21:22:14 moon charon: 03[KNL] interface ppp0 activated
Nov 10 21:22:15 moon charon: 12[KNL] creating roam job due to address/link change
Nov 10 21:25:13 moon charon: 14[CFG] received stroke: initiate 'net-net'
Nov 10 21:25:13 moon charon: 16[IKE] initiating IKE_SA net-net[1] to 192.168.0.2
Nov 10 21:25:13 moon charon: 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 10 21:25:13 moon charon: 16[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500]
Nov 10 21:25:13 moon charon: 01[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500]
Nov 10 21:25:13 moon charon: 01[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 10 21:25:13 moon charon: 01[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 10 21:25:13 moon charon: 01[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 10 21:25:14 moon charon: 01[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful
Nov 10 21:25:14 moon charon: 01[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 10 21:25:14 moon charon: 01[IKE] establishing CHILD_SA net-net
Nov 10 21:25:14 moon charon: 01[KNL] getting SPI for reqid {1}
Nov 10 21:25:14 moon charon: 01[KNL] got SPI c34376b5 for reqid {1}
Nov 10 21:25:14 moon charon: 01[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Nov 10 21:25:14 moon charon: 01[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.2[4500]
Nov 10 21:25:14 moon charon: 11[NET] received packet: from 192.168.0.2[4500] to 192.168.0.1[4500]
Nov 10 21:25:14 moon charon: 11[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Nov 10 21:25:14 moon charon: 11[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Nov 10 21:25:14 moon charon: 11[CFG] using certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Nov 10 21:25:14 moon charon: 11[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 10 21:25:14 moon charon: 11[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Nov 10 21:25:14 moon charon: 11[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
Nov 10 21:25:14 moon charon: 11[LIB] libcurl http request failed: couldn't connect to host
Nov 10 21:25:14 moon charon: 11[CFG] crl fetching failed
Nov 10 21:25:14 moon charon: 11[CFG] certificate status is not available
Nov 10 21:25:14 moon charon: 11[CFG] reached self-signed root ca with a path length of 0
Nov 10 21:25:14 moon charon: 11[IKE] authentication of 'sun.strongswan.org' with RSA signature successful
Nov 10 21:25:14 moon charon: 11[IKE] IKE_SA net-net[1] established between 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
Nov 10 21:25:14 moon charon: 11[IKE] scheduling reauthentication in 3398s
Nov 10 21:25:14 moon charon: 11[IKE] maximum IKE_SA lifetime 3578s
Nov 10 21:25:14 moon charon: 11[KNL] adding SAD entry with SPI c34376b5 and reqid {1}
Nov 10 21:25:14 moon charon: 11[KNL] using encryption algorithm AES_CBC with key size 128
Nov 10 21:25:14 moon charon: 11[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 10 21:25:14 moon charon: 11[KNL] adding SAD entry with SPI c8c91bee and reqid {1}
Nov 10 21:25:14 moon charon: 11[KNL] using encryption algorithm AES_CBC with key size 128
Nov 10 21:25:14 moon charon: 11[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 10 21:25:14 moon charon: 11[KNL] adding policy 10.1.0.0/16 === 10.2.0.0/16 out
Nov 10 21:25:14 moon charon: 11[KNL] adding policy 10.2.0.0/16 === 10.1.0.0/16 in
Nov 10 21:25:14 moon charon: 11[KNL] adding policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Nov 10 21:25:14 moon charon: 11[KNL] getting a local address in traffic selector 10.1.0.0/16
Nov 10 21:25:14 moon charon: 11[KNL] using host 10.1.0.1
Nov 10 21:25:14 moon charon: 11[KNL] getting address to reach 192.168.0.2
Nov 10 21:25:14 moon charon: 11[KNL] getting interface name for 192.168.0.1
Nov 10 21:25:14 moon charon: 11[KNL] 192.168.0.1 is on interface ppp0
Nov 10 21:25:14 moon charon: 11[KNL] installing route: 10.2.0.0/16 via 192.168.0.2 src 10.1.0.1 dev ppp0
Nov 10 21:25:14 moon charon: 11[KNL] getting iface index for ppp0
Nov 10 21:25:14 moon charon: 11[KNL] policy 10.1.0.0/16 === 10.2.0.0/16 out already exists, increasing refcount
Nov 10 21:25:14 moon charon: 11[KNL] updating policy 10.1.0.0/16 === 10.2.0.0/16 out
Nov 10 21:25:14 moon charon: 11[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 in already exists, increasing refcount
Nov 10 21:25:14 moon charon: 11[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 in
Nov 10 21:25:14 moon charon: 11[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 fwd already exists, increasing refcount
Nov 10 21:25:14 moon charon: 11[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Nov 10 21:25:14 moon charon: 11[KNL] getting a local address in traffic selector 10.1.0.0/16
Nov 10 21:25:14 moon charon: 11[KNL] using host 10.1.0.1
Nov 10 21:25:14 moon charon: 11[KNL] getting address to reach 192.168.0.2
Nov 10 21:25:14 moon charon: 11[KNL] getting interface name for 192.168.0.1
Nov 10 21:25:14 moon charon: 11[KNL] 192.168.0.1 is on interface ppp0
Nov 10 21:25:14 moon charon: 11[KNL] getting iface index for ppp0
Nov 10 21:25:14 moon charon: 11[IKE] CHILD_SA net-net{1} established with SPIs c34376b5_i c8c91bee_o and TS 10.1.0.0/16 === 10.2.0.0/16
Nov 10 21:25:14 moon charon: 11[KNL] getting interface name for 192.168.0.1
Nov 10 21:25:14 moon charon: 11[KNL] 192.168.0.1 is on interface ppp0
Nov 10 21:25:14 moon charon: 11[IKE] received AUTH_LIFETIME of 3358s, scheduling reauthentication in 3178s
Nov 10 21:25:14 moon charon: 11[IKE] peer supports MOBIKE
Nov 10 21:27:00 moon charon: 03[KNL] 192.168.0.1 disappeared from ppp0
Nov 10 21:27:00 moon charon: 03[KNL] 192.168.0.11 appeared on ppp0
Nov 10 21:27:00 moon charon: 13[KNL] creating roam job due to address/link change
Nov 10 21:27:00 moon charon: 13[KNL] getting address to reach 192.168.0.2
Nov 10 21:27:00 moon charon: 13[IKE] old path is not available anymore, try to find another
Nov 10 21:27:00 moon charon: 13[KNL] getting address to reach 192.168.0.2
Nov 10 21:27:00 moon charon: 13[IKE] requesting address change using MOBIKE
Nov 10 21:27:00 moon charon: 13[KNL] getting address to reach 192.168.0.2
Nov 10 21:27:00 moon charon: 13[ENC] generating INFORMATIONAL request 2 [ ]
Nov 10 21:27:00 moon charon: 13[KNL] getting address to reach 192.168.0.2
Nov 10 21:27:00 moon charon: 13[IKE] checking original path 192.168.0.11[4500] - 192.168.0.2[4500]
Nov 10 21:27:00 moon charon: 13[NET] sending packet: from 192.168.0.11[4500] to 192.168.0.2[4500]
Nov 10 21:27:00 moon charon: 13[KNL] getting address to reach 10.2.0.1
Nov 10 21:27:00 moon charon: 16[NET] received packet: from 192.168.0.2[4500] to 192.168.0.11[4500]
Nov 10 21:27:00 moon charon: 16[ENC] parsed INFORMATIONAL response 2 [ ]
Nov 10 21:27:00 moon charon: 16[KNL] getting address to reach 192.168.0.2
Nov 10 21:27:00 moon charon: 16[KNL] querying SAD entry with SPI c34376b5 for update
Nov 10 21:27:00 moon charon: 16[KNL] querying replay state from SAD entry with SPI c34376b5
Nov 10 21:27:00 moon charon: 16[KNL] deleting SAD entry with SPI c34376b5
Nov 10 21:27:00 moon charon: 16[KNL] deleted SAD entry with SPI c34376b5
Nov 10 21:27:00 moon charon: 16[KNL] updating SAD entry with SPI c34376b5 from 192.168.0.2[4500]..192.168.0.1[4500] to 192.168.0.2[4500]..192.168.0.11[4500]
Nov 10 21:27:00 moon charon: 16[KNL] querying SAD entry with SPI c8c91bee for update
Nov 10 21:27:00 moon charon: 16[KNL] querying replay state from SAD entry with SPI c8c91bee
Nov 10 21:27:00 moon charon: 16[KNL] deleting SAD entry with SPI c8c91bee
Nov 10 21:27:00 moon charon: 16[KNL] deleted SAD entry with SPI c8c91bee
Nov 10 21:27:00 moon charon: 16[KNL] updating SAD entry with SPI c8c91bee from 192.168.0.1[4500]..192.168.0.2[4500] to 192.168.0.11[4500]..192.168.0.2[4500]
Nov 10 21:27:00 moon charon: 16[KNL] deleting policy 10.1.0.0/16 === 10.2.0.0/16 out
Nov 10 21:27:00 moon charon: 16[KNL] policy still used by another CHILD_SA, not removed
Nov 10 21:27:00 moon charon: 16[KNL] updating policy 10.1.0.0/16 === 10.2.0.0/16 out
Nov 10 21:27:00 moon charon: 16[KNL] deleting policy 10.2.0.0/16 === 10.1.0.0/16 in
Nov 10 21:27:00 moon charon: 16[KNL] policy still used by another CHILD_SA, not removed
Nov 10 21:27:00 moon charon: 16[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 in
Nov 10 21:27:00 moon charon: 16[KNL] deleting policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Nov 10 21:27:00 moon charon: 16[KNL] policy still used by another CHILD_SA, not removed
Nov 10 21:27:00 moon charon: 16[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Nov 10 21:27:00 moon charon: 16[KNL] getting a local address in traffic selector 10.1.0.0/16
Nov 10 21:27:00 moon charon: 16[KNL] using host 10.1.0.1
Nov 10 21:27:00 moon charon: 16[KNL] getting address to reach 192.168.0.2
Nov 10 21:27:00 moon charon: 16[KNL] getting interface name for 192.168.0.1
Nov 10 21:27:00 moon charon: 16[KNL] 192.168.0.1 is not a local address
Nov 10 21:27:00 moon charon: 16[KNL] policy 10.1.0.0/16 === 10.2.0.0/16 out already exists, increasing refcount
Nov 10 21:27:00 moon charon: 16[KNL] updating policy 10.1.0.0/16 === 10.2.0.0/16 out
Nov 10 21:27:00 moon charon: 16[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 in already exists, increasing refcount
Nov 10 21:27:00 moon charon: 16[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 in
Nov 10 21:27:00 moon charon: 16[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 fwd already exists, increasing refcount
Nov 10 21:27:00 moon charon: 16[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Nov 10 21:27:00 moon charon: 16[KNL] getting a local address in traffic selector 10.1.0.0/16
Nov 10 21:27:00 moon charon: 16[KNL] using host 10.1.0.1
Nov 10 21:27:00 moon charon: 16[KNL] getting address to reach 192.168.0.2
Nov 10 21:27:00 moon charon: 16[KNL] getting interface name for 192.168.0.11
Nov 10 21:27:00 moon charon: 16[KNL] 192.168.0.11 is on interface ppp0
Nov 10 21:27:00 moon charon: 16[KNL] getting iface index for ppp0
Nov 10 21:27:00 moon charon: 16[ENC] generating INFORMATIONAL request 3 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) N(COOKIE2) N(ADD_4_ADDR) ]
Nov 10 21:27:00 moon charon: 16[NET] sending packet: from 192.168.0.11[4500] to 192.168.0.2[4500]
Nov 10 21:27:00 moon charon: 01[NET] received packet: from 192.168.0.2[4500] to 192.168.0.11[4500]
Nov 10 21:27:00 moon charon: 01[ENC] parsed INFORMATIONAL response 3 [ N(NATD_S_IP) N(NATD_D_IP) N(COOKIE2) ]
Nov 10 21:28:32 moon charon: 03[KNL] interface ppp0 deactivated
Nov 10 21:28:32 moon charon: 03[KNL] 192.168.0.11 disappeared from ppp0
Nov 10 21:28:32 moon charon: 10[KNL] creating roam job due to address/link change
Nov 10 21:28:32 moon charon: 10[KNL] getting address to reach 192.168.0.2
Nov 10 21:28:32 moon charon: 10[IKE] old path is not available anymore, try to find another
Nov 10 21:28:32 moon charon: 10[KNL] getting address to reach 192.168.0.2
Nov 10 21:28:32 moon charon: 10[IKE] looking for a route to 10.2.0.1 ...
Nov 10 21:28:32 moon charon: 10[KNL] getting address to reach 10.2.0.1
Nov 10 21:28:32 moon charon: 10[IKE] no route found to reach 192.168.0.2, MOBIKE update deferred
Nov 10 21:28:36 moon charon: 03[KNL] 192.168.0.1 appeared on ppp0
Nov 10 21:28:36 moon charon: 03[KNL] 192.168.0.1 disappeared from ppp0
Nov 10 21:28:36 moon charon: 03[KNL] 192.168.0.1 appeared on ppp0
Nov 10 21:28:36 moon charon: 03[KNL] interface ppp0 activated
Nov 10 21:28:36 moon charon: 13[KNL] creating roam job due to address/link change
Nov 10 21:28:36 moon charon: 13[KNL] getting address to reach 192.168.0.2
Nov 10 21:28:36 moon charon: 13[IKE] old path is not available anymore, try to find another
Nov 10 21:28:36 moon charon: 13[KNL] getting address to reach 192.168.0.2
Nov 10 21:28:36 moon charon: 13[IKE] requesting address change using MOBIKE
Nov 10 21:28:36 moon charon: 13[KNL] getting address to reach 192.168.0.2
Nov 10 21:28:36 moon charon: 13[ENC] generating INFORMATIONAL request 4 [ ]
Nov 10 21:28:36 moon charon: 13[KNL] getting address to reach 192.168.0.2
Nov 10 21:28:36 moon charon: 13[IKE] checking original path 192.168.0.1[4500] - 192.168.0.2[4500]
Nov 10 21:28:36 moon charon: 13[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.2[4500]
Nov 10 21:28:36 moon charon: 13[KNL] getting address to reach 10.2.0.1
Nov 10 21:28:36 moon charon: 16[NET] received packet: from 192.168.0.2[4500] to 192.168.0.1[4500]
Nov 10 21:28:36 moon charon: 16[ENC] parsed INFORMATIONAL response 4 [ ]
Nov 10 21:28:36 moon charon: 16[KNL] getting address to reach 192.168.0.2
Nov 10 21:28:36 moon charon: 16[KNL] querying SAD entry with SPI c34376b5 for update
Nov 10 21:28:36 moon charon: 16[KNL] querying replay state from SAD entry with SPI c34376b5
Nov 10 21:28:36 moon charon: 16[KNL] deleting SAD entry with SPI c34376b5
Nov 10 21:28:36 moon charon: 16[KNL] deleted SAD entry with SPI c34376b5
Nov 10 21:28:36 moon charon: 16[KNL] updating SAD entry with SPI c34376b5 from 192.168.0.2[4500]..192.168.0.11[4500] to 192.168.0.2[4500]..192.168.0.1[4500]
Nov 10 21:28:36 moon charon: 16[KNL] querying SAD entry with SPI c8c91bee for update
Nov 10 21:28:36 moon charon: 16[KNL] querying replay state from SAD entry with SPI c8c91bee
Nov 10 21:28:36 moon charon: 16[KNL] deleting SAD entry with SPI c8c91bee
Nov 10 21:28:36 moon charon: 16[KNL] deleted SAD entry with SPI c8c91bee
Nov 10 21:28:36 moon charon: 16[KNL] updating SAD entry with SPI c8c91bee from 192.168.0.11[4500]..192.168.0.2[4500] to 192.168.0.1[4500]..192.168.0.2[4500]
Nov 10 21:28:36 moon charon: 16[KNL] deleting policy 10.1.0.0/16 === 10.2.0.0/16 out
Nov 10 21:28:36 moon charon: 16[KNL] policy still used by another CHILD_SA, not removed
Nov 10 21:28:36 moon charon: 16[KNL] updating policy 10.1.0.0/16 === 10.2.0.0/16 out
Nov 10 21:28:36 moon charon: 16[KNL] deleting policy 10.2.0.0/16 === 10.1.0.0/16 in
Nov 10 21:28:36 moon charon: 16[KNL] policy still used by another CHILD_SA, not removed
Nov 10 21:28:36 moon charon: 16[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 in
Nov 10 21:28:36 moon charon: 16[KNL] deleting policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Nov 10 21:28:36 moon charon: 16[KNL] policy still used by another CHILD_SA, not removed
Nov 10 21:28:36 moon charon: 16[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Nov 10 21:28:36 moon charon: 16[KNL] getting a local address in traffic selector 10.1.0.0/16
Nov 10 21:28:36 moon charon: 16[KNL] using host 10.1.0.1
Nov 10 21:28:36 moon charon: 16[KNL] getting address to reach 192.168.0.2
Nov 10 21:28:36 moon charon: 16[KNL] getting interface name for 192.168.0.1
Nov 10 21:28:36 moon charon: 16[KNL] 192.168.0.1 is on interface ppp0
Nov 10 21:28:36 moon charon: 16[KNL] getting iface index for ppp0
Nov 10 21:28:36 moon charon: 16[KNL] received netlink error: No such process (3)
Nov 10 21:28:36 moon charon: 16[KNL] policy 10.1.0.0/16 === 10.2.0.0/16 out already exists, increasing refcount
Nov 10 21:28:36 moon charon: 16[KNL] updating policy 10.1.0.0/16 === 10.2.0.0/16 out
Nov 10 21:28:36 moon charon: 16[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 in already exists, increasing refcount
Nov 10 21:28:36 moon charon: 16[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 in
Nov 10 21:28:36 moon charon: 16[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 fwd already exists, increasing refcount
Nov 10 21:28:36 moon charon: 16[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Nov 10 21:28:36 moon charon: 16[KNL] getting a local address in traffic selector 10.1.0.0/16
Nov 10 21:28:36 moon charon: 16[KNL] using host 10.1.0.1
Nov 10 21:28:36 moon charon: 16[KNL] getting address to reach 192.168.0.2
Nov 10 21:28:36 moon charon: 16[KNL] getting interface name for 192.168.0.1
Nov 10 21:28:36 moon charon: 16[KNL] 192.168.0.1 is on interface ppp0
Nov 10 21:28:36 moon charon: 16[KNL] getting iface index for ppp0
Nov 10 21:28:36 moon charon: 16[KNL] received netlink error: No such process (3)
Nov 10 21:28:36 moon charon: 16[ENC] generating INFORMATIONAL request 5 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) N(COOKIE2) N(ADD_4_ADDR) ]
Nov 10 21:28:36 moon charon: 16[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.2[4500]
Nov 10 21:28:37 moon charon: 01[NET] received packet: from 192.168.0.2[4500] to 192.168.0.1[4500]
Nov 10 21:28:37 moon charon: 01[ENC] parsed INFORMATIONAL response 5 [ N(NATD_S_IP) N(NATD_D_IP) N(COOKIE2) ]
Nov 10 21:29:44 moon charon: 00[DMN] signal of type SIGINT received. Shutting down
Nov 10 21:29:44 moon charon: 00[IKE] deleting IKE_SA net-net[1] between 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
Nov 10 21:29:44 moon charon: 00[IKE] sending DELETE for IKE_SA net-net[1]
Nov 10 21:29:44 moon charon: 00[ENC] generating INFORMATIONAL request 6 [ D ]
Nov 10 21:29:44 moon charon: 00[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.2[4500]
Nov 10 21:29:44 moon charon: 00[KNL] deleting SAD entry with SPI c34376b5
Nov 10 21:29:44 moon charon: 00[KNL] deleted SAD entry with SPI c34376b5
Nov 10 21:29:44 moon charon: 00[KNL] deleting SAD entry with SPI c8c91bee
Nov 10 21:29:44 moon charon: 00[KNL] deleted SAD entry with SPI c8c91bee
Nov 10 21:29:44 moon charon: 00[KNL] deleting policy 10.1.0.0/16 === 10.2.0.0/16 out
Nov 10 21:29:44 moon charon: 00[KNL] policy still used by another CHILD_SA, not removed
Nov 10 21:29:44 moon charon: 00[KNL] updating policy 10.1.0.0/16 === 10.2.0.0/16 out
Nov 10 21:29:44 moon charon: 00[KNL] deleting policy 10.2.0.0/16 === 10.1.0.0/16 in
Nov 10 21:29:44 moon charon: 00[KNL] policy still used by another CHILD_SA, not removed
Nov 10 21:29:44 moon charon: 00[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 in
Nov 10 21:29:44 moon charon: 00[KNL] deleting policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Nov 10 21:29:44 moon charon: 00[KNL] policy still used by another CHILD_SA, not removed
Nov 10 21:29:44 moon charon: 00[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Nov 10 21:29:44 moon charon: 00[KNL] getting a local address in traffic selector 10.1.0.0/16
Nov 10 21:29:44 moon charon: 00[KNL] using host 10.1.0.1
Nov 10 21:29:44 moon charon: 00[KNL] getting address to reach 192.168.0.2
Nov 10 21:29:44 moon charon: 00[KNL] getting interface name for 192.168.0.1
Nov 10 21:29:44 moon charon: 00[KNL] 192.168.0.1 is on interface ppp0
Nov 10 21:29:44 moon charon: 00[KNL] getting iface index for ppp0
Nov 10 21:29:44 moon charon: 00[KNL] received netlink error: No such process (3)
Nov 10 21:29:44 moon charon: 00[KNL] deleting policy 10.1.0.0/16 === 10.2.0.0/16 out
Nov 10 21:29:44 moon charon: 00[KNL] deleting policy 10.2.0.0/16 === 10.1.0.0/16 in
Nov 10 21:29:44 moon charon: 00[KNL] deleting policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Nov 10 21:29:44 moon charon: 00[KNL] getting iface index for ppp0
Nov 10 21:29:44 moon charon: 00[KNL] received netlink error: No such process (3)
Nov 10 21:29:44 moon charon: 00[KNL] error uninstalling route installed with policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Nov 10 21:29:44 moon charon: 00[DMN] thread 0 received 11
More information about the Users
mailing list