[strongSwan] route in table 220 disappears on external IP address change

Mirko Parthey mirko.parthey at informatik.tu-chemnitz.de
Fri Oct 28 14:37:20 CEST 2011


Hi,

using strongSwan 4.6.0rc2 with a test setup derived from ikev2/net2net-cert,
I tried to change the IP address of moon's external interface:
# ip addr del 192.168.0.1/24 dev eth0
# ip addr add 192.168.0.11/24 broadcast 192.168.0.255 dev eth0
Charon updated the policy and security associations automatically.

However, moon had a route to sun's private network in table 220:
# ip route ls table 220
10.2.0.0/16 via 192.168.0.2 dev eth0  proto static  src 10.1.0.1

During the IP update, this route was removed, but it was not restored
by charon when the new IP appeared on the external interface.
This made the tunnel SA unusable.  After restoring the route manually,
the tunnel worked again.

My ipsec.conf and charon log of gateway moon are attached.
There is no /etc/strongswan.conf.
gateway sun's configuration changes match those of moon.

I created a Debian package by copying over and tweaking the debian/ dir
from the 4.5.2-1.2 package. This might be the reason for the
missing shared libraries in charon's log.

Please let me know if you need anything further.

Regards
Mirko
-------------- next part --------------
# /etc/ipsec.conf - strongSwan IPsec configuration file
# adapted from testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf

config setup
	crlcheckinterval=180
	strictcrlpolicy=no
	plutostart=no
	charondebug="knl 2"

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2
	mobike=no

conn net-net
	left=%any
	leftcert=moonCert.pem
	leftid=@moon.strongswan.org
	leftsubnet=10.1.0.0/16
	leftfirewall=yes
	right=%sun.ipsec
	rightid=@sun.strongswan.org
	rightsubnet=10.2.0.0/16
	auto=add
	mobike=yes
	lefthostaccess=yes
-------------- next part --------------
Oct 28 13:40:05 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.0rc2)
Oct 28 13:40:06 moon charon: 00[KNL] listening on interfaces:
Oct 28 13:40:06 moon charon: 00[KNL]   eth1
Oct 28 13:40:06 moon charon: 00[KNL]     10.1.0.1
Oct 28 13:40:06 moon charon: 00[KNL]     fe80::5054:ff:fe71:c0d7
Oct 28 13:40:06 moon charon: 00[KNL]   eth0
Oct 28 13:40:06 moon charon: 00[KNL]     192.168.0.1
Oct 28 13:40:06 moon charon: 00[KNL]     fe80::5054:ff:fe62:8a
Oct 28 13:40:06 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct 28 13:40:06 moon charon: 00[CFG]   loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Oct 28 13:40:06 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct 28 13:40:06 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct 28 13:40:06 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct 28 13:40:06 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct 28 13:40:06 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct 28 13:40:06 moon charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Oct 28 13:40:06 moon charon: 00[CFG] sql plugin: database URI not set
Oct 28 13:40:06 moon charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
Oct 28 13:40:06 moon charon: 00[CFG] loaded 0 RADIUS server configurations
Oct 28 13:40:06 moon charon: 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file: No such file or directory
Oct 28 13:40:06 moon charon: 00[CFG] mediation client database URI not defined, skipped
Oct 28 13:40:06 moon charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL
Oct 28 13:40:06 moon charon: 00[LIB] plugin 'nm' failed to load: /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file: No such file or directory
Oct 28 13:40:06 moon charon: 00[CFG] HA config misses local/remote address
Oct 28 13:40:06 moon charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Oct 28 13:40:06 moon charon: 00[LIB] feature PRF:PRF_CAMELLIA128_XCBC in 'xcbc' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Oct 28 13:40:06 moon charon: 00[LIB] feature SIGNER:CAMELLIA_XCBC_96 in 'xcbc' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Oct 28 13:40:06 moon charon: 00[LIB] feature CRYPTER:CAMELLIA_CTR-16 in 'ctr' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Oct 28 13:40:06 moon charon: 00[LIB] feature CRYPTER:CAMELLIA_CTR-24 in 'ctr' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-24
Oct 28 13:40:06 moon charon: 00[LIB] feature CRYPTER:CAMELLIA_CTR-32 in 'ctr' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-32
Oct 28 13:40:06 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_8-16 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Oct 28 13:40:06 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_8-24 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-24
Oct 28 13:40:06 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_8-32 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-32
Oct 28 13:40:06 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_12-16 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Oct 28 13:40:06 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_12-24 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-24
Oct 28 13:40:06 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_12-32 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-32
Oct 28 13:40:06 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_16-16 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Oct 28 13:40:06 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_16-24 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-24
Oct 28 13:40:06 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_16-32 in 'ccm' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-32
Oct 28 13:40:06 moon charon: 00[DMN] loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls dhcp led addrblock 
Oct 28 13:40:06 moon charon: 00[JOB] spawning 16 worker threads
Oct 28 13:40:06 moon charon: 10[CFG] received stroke: add connection 'net-net'
Oct 28 13:40:06 moon charon: 10[KNL] getting interface name for 192.168.0.2
Oct 28 13:40:06 moon charon: 10[KNL] 192.168.0.2 is not a local address
Oct 28 13:40:06 moon charon: 10[KNL] getting interface name for %any
Oct 28 13:40:06 moon charon: 10[KNL] %any is not a local address
Oct 28 13:40:06 moon charon: 10[CFG] left nor right host is our side, assuming left=local
Oct 28 13:40:06 moon charon: 10[CFG]   loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Oct 28 13:40:06 moon charon: 10[CFG] added configuration 'net-net'
Oct 28 13:42:30 moon charon: 12[CFG] received stroke: initiate 'net-net'
Oct 28 13:42:30 moon charon: 14[KNL] getting address to reach 192.168.0.2
Oct 28 13:42:30 moon charon: 14[IKE] initiating IKE_SA net-net[1] to 192.168.0.2
Oct 28 13:42:30 moon charon: 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 28 13:42:30 moon charon: 14[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500]
Oct 28 13:42:30 moon charon: 15[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500]
Oct 28 13:42:30 moon charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 28 13:42:30 moon charon: 15[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Oct 28 13:42:30 moon charon: 15[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Oct 28 13:42:30 moon charon: 15[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful
Oct 28 13:42:30 moon charon: 15[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Oct 28 13:42:30 moon charon: 15[IKE] establishing CHILD_SA net-net
Oct 28 13:42:30 moon charon: 15[KNL] getting SPI for reqid {1}
Oct 28 13:42:30 moon charon: 15[KNL] got SPI cccdf87a for reqid {1}
Oct 28 13:42:30 moon charon: 15[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct 28 13:42:30 moon charon: 15[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.2[4500]
Oct 28 13:42:30 moon charon: 16[NET] received packet: from 192.168.0.2[4500] to 192.168.0.1[4500]
Oct 28 13:42:30 moon charon: 16[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct 28 13:42:30 moon charon: 16[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Oct 28 13:42:30 moon charon: 16[CFG]   using certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Oct 28 13:42:30 moon charon: 16[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Oct 28 13:42:30 moon charon: 16[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
Oct 28 13:42:30 moon charon: 16[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
Oct 28 13:42:30 moon charon: 16[LIB] libcurl http request failed: couldn't connect to host
Oct 28 13:42:30 moon charon: 16[CFG] crl fetching failed
Oct 28 13:42:30 moon charon: 16[CFG] certificate status is not available
Oct 28 13:42:30 moon charon: 16[CFG]   reached self-signed root ca with a path length of 0
Oct 28 13:42:30 moon charon: 16[IKE] authentication of 'sun.strongswan.org' with RSA signature successful
Oct 28 13:42:30 moon charon: 16[IKE] IKE_SA net-net[1] established between 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
Oct 28 13:42:30 moon charon: 16[IKE] scheduling reauthentication in 3328s
Oct 28 13:42:30 moon charon: 16[IKE] maximum IKE_SA lifetime 3508s
Oct 28 13:42:30 moon charon: 16[KNL] adding SAD entry with SPI cccdf87a and reqid {1}
Oct 28 13:42:30 moon charon: 16[KNL]   using encryption algorithm AES_CBC with key size 128
Oct 28 13:42:30 moon charon: 16[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Oct 28 13:42:30 moon charon: 16[KNL] adding SAD entry with SPI cf597663 and reqid {1}
Oct 28 13:42:30 moon charon: 16[KNL]   using encryption algorithm AES_CBC with key size 128
Oct 28 13:42:30 moon charon: 16[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Oct 28 13:42:30 moon charon: 16[KNL] adding policy 10.1.0.0/16 === 10.2.0.0/16 out
Oct 28 13:42:30 moon charon: 16[KNL] adding policy 10.2.0.0/16 === 10.1.0.0/16 in
Oct 28 13:42:30 moon charon: 16[KNL] adding policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Oct 28 13:42:30 moon charon: 16[KNL] getting a local address in traffic selector 10.1.0.0/16
Oct 28 13:42:30 moon charon: 16[KNL] using host 10.1.0.1
Oct 28 13:42:30 moon charon: 16[KNL] getting address to reach 192.168.0.2
Oct 28 13:42:30 moon charon: 16[KNL] getting interface name for 192.168.0.1
Oct 28 13:42:30 moon charon: 16[KNL] 192.168.0.1 is on interface eth0
Oct 28 13:42:30 moon charon: 16[KNL] installing route: 10.2.0.0/16 via 192.168.0.2 src 10.1.0.1 dev eth0
Oct 28 13:42:30 moon charon: 16[KNL] getting iface index for eth0
Oct 28 13:42:30 moon charon: 16[KNL] policy 10.1.0.0/16 === 10.2.0.0/16 out already exists, increasing refcount
Oct 28 13:42:30 moon charon: 16[KNL] updating policy 10.1.0.0/16 === 10.2.0.0/16 out
Oct 28 13:42:30 moon charon: 16[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 in already exists, increasing refcount
Oct 28 13:42:30 moon charon: 16[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 in
Oct 28 13:42:30 moon charon: 16[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 fwd already exists, increasing refcount
Oct 28 13:42:30 moon charon: 16[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Oct 28 13:42:30 moon charon: 16[KNL] getting a local address in traffic selector 10.1.0.0/16
Oct 28 13:42:30 moon charon: 16[KNL] using host 10.1.0.1
Oct 28 13:42:30 moon charon: 16[KNL] getting address to reach 192.168.0.2
Oct 28 13:42:30 moon charon: 16[KNL] getting interface name for 192.168.0.1
Oct 28 13:42:30 moon charon: 16[KNL] 192.168.0.1 is on interface eth0
Oct 28 13:42:30 moon charon: 16[IKE] CHILD_SA net-net{1} established with SPIs cccdf87a_i cf597663_o and TS 10.1.0.0/16 === 10.2.0.0/16 
Oct 28 13:42:30 moon charon: 16[KNL] getting interface name for 192.168.0.1
Oct 28 13:42:30 moon charon: 16[KNL] 192.168.0.1 is on interface eth0
Oct 28 13:42:31 moon charon: 16[IKE] received AUTH_LIFETIME of 3293s, scheduling reauthentication in 3113s
Oct 28 13:42:31 moon charon: 16[IKE] peer supports MOBIKE
Oct 28 13:46:28 moon charon: 03[KNL] 192.168.0.1 disappeared from eth0
Oct 28 13:46:28 moon charon: 03[KNL] 192.168.0.11 appeared on eth0
Oct 28 13:46:28 moon charon: 10[KNL] creating roam job due to address/link change
Oct 28 13:46:28 moon charon: 10[KNL] getting address to reach 192.168.0.2
Oct 28 13:46:28 moon charon: 10[IKE] old path is not available anymore, try to find another
Oct 28 13:46:28 moon charon: 10[KNL] getting address to reach 192.168.0.2
Oct 28 13:46:28 moon charon: 10[IKE] requesting address change using MOBIKE
Oct 28 13:46:28 moon charon: 10[KNL] getting address to reach 192.168.0.2
Oct 28 13:46:28 moon charon: 10[ENC] generating INFORMATIONAL request 2 [ ]
Oct 28 13:46:28 moon charon: 10[KNL] getting address to reach 192.168.0.2
Oct 28 13:46:28 moon charon: 10[IKE] checking original path 192.168.0.11[4500] - 192.168.0.2[4500]
Oct 28 13:46:28 moon charon: 10[NET] sending packet: from 192.168.0.11[4500] to 192.168.0.2[4500]
Oct 28 13:46:28 moon charon: 10[KNL] getting address to reach 10.2.0.1
Oct 28 13:46:28 moon charon: 14[NET] received packet: from 192.168.0.2[4500] to 192.168.0.11[4500]
Oct 28 13:46:28 moon charon: 14[ENC] parsed INFORMATIONAL response 2 [ ]
Oct 28 13:46:28 moon charon: 14[KNL] getting address to reach 192.168.0.2
Oct 28 13:46:28 moon charon: 14[KNL] querying SAD entry with SPI cccdf87a for update
Oct 28 13:46:28 moon charon: 14[KNL] querying replay state from SAD entry with SPI cccdf87a
Oct 28 13:46:28 moon charon: 14[KNL] deleting SAD entry with SPI cccdf87a
Oct 28 13:46:28 moon charon: 14[KNL] deleted SAD entry with SPI cccdf87a
Oct 28 13:46:28 moon charon: 14[KNL] updating SAD entry with SPI cccdf87a from 192.168.0.2[4500]..192.168.0.1[4500] to 192.168.0.2[4500]..192.168.0.11[4500]
Oct 28 13:46:28 moon charon: 14[KNL] querying SAD entry with SPI cf597663 for update
Oct 28 13:46:28 moon charon: 14[KNL] querying replay state from SAD entry with SPI cf597663
Oct 28 13:46:28 moon charon: 14[KNL] deleting SAD entry with SPI cf597663
Oct 28 13:46:28 moon charon: 14[KNL] deleted SAD entry with SPI cf597663
Oct 28 13:46:28 moon charon: 14[KNL] updating SAD entry with SPI cf597663 from 192.168.0.1[4500]..192.168.0.2[4500] to 192.168.0.11[4500]..192.168.0.2[4500]
Oct 28 13:46:28 moon charon: 14[KNL] deleting policy 10.1.0.0/16 === 10.2.0.0/16 out
Oct 28 13:46:28 moon charon: 14[KNL] policy still used by another CHILD_SA, not removed
Oct 28 13:46:28 moon charon: 14[KNL] updating policy 10.1.0.0/16 === 10.2.0.0/16 out
Oct 28 13:46:28 moon charon: 14[KNL] deleting policy 10.2.0.0/16 === 10.1.0.0/16 in
Oct 28 13:46:28 moon charon: 14[KNL] policy still used by another CHILD_SA, not removed
Oct 28 13:46:28 moon charon: 14[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 in
Oct 28 13:46:28 moon charon: 14[KNL] deleting policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Oct 28 13:46:28 moon charon: 14[KNL] policy still used by another CHILD_SA, not removed
Oct 28 13:46:28 moon charon: 14[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Oct 28 13:46:28 moon charon: 14[KNL] getting a local address in traffic selector 10.1.0.0/16
Oct 28 13:46:28 moon charon: 14[KNL] using host 10.1.0.1
Oct 28 13:46:28 moon charon: 14[KNL] getting address to reach 192.168.0.2
Oct 28 13:46:28 moon charon: 14[KNL] getting interface name for 192.168.0.1
Oct 28 13:46:28 moon charon: 14[KNL] 192.168.0.1 is not a local address
Oct 28 13:46:28 moon charon: 14[KNL] policy 10.1.0.0/16 === 10.2.0.0/16 out already exists, increasing refcount
Oct 28 13:46:28 moon charon: 14[KNL] updating policy 10.1.0.0/16 === 10.2.0.0/16 out
Oct 28 13:46:28 moon charon: 14[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 in already exists, increasing refcount
Oct 28 13:46:28 moon charon: 14[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 in
Oct 28 13:46:28 moon charon: 14[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 fwd already exists, increasing refcount
Oct 28 13:46:28 moon charon: 14[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 fwd
Oct 28 13:46:28 moon charon: 14[KNL] getting a local address in traffic selector 10.1.0.0/16
Oct 28 13:46:28 moon charon: 14[KNL] using host 10.1.0.1
Oct 28 13:46:28 moon charon: 14[KNL] getting address to reach 192.168.0.2
Oct 28 13:46:28 moon charon: 14[KNL] getting interface name for 192.168.0.11
Oct 28 13:46:28 moon charon: 14[KNL] 192.168.0.11 is on interface eth0
Oct 28 13:46:28 moon charon: 14[ENC] generating INFORMATIONAL request 3 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) N(COOKIE2) N(ADD_4_ADDR) ]
Oct 28 13:46:28 moon charon: 14[NET] sending packet: from 192.168.0.11[4500] to 192.168.0.2[4500]
Oct 28 13:46:28 moon charon: 15[NET] received packet: from 192.168.0.2[4500] to 192.168.0.11[4500]
Oct 28 13:46:28 moon charon: 15[ENC] parsed INFORMATIONAL response 3 [ N(NATD_S_IP) N(NATD_D_IP) N(COOKIE2) ]
Oct 28 13:47:06 moon charon: 01[KNL] creating roam job due to route change
Oct 28 13:47:06 moon charon: 01[KNL] getting address to reach 192.168.0.2


More information about the Users mailing list