[strongSwan] Cannot establish connection using tunnel mode

严旭东 yanxudong.sh at gmail.com
Tue Sep 20 08:42:50 CEST 2011 

Hello,

I'm using tunnel mode within an ipsec connection, while the two hosts are
under a same gateway. The connection can be established, however begin to
cycle its state forever.

Sep 19 16:28:14 bonnie charon: 06[CFG] received stroke: initiate
'bonnie_psk_clyde'
Sep 19 16:28:14 bonnie charon: 10[AUD] initiating IKE_SA 'bonnie_psk_clyde'
to 9.11.237.67
Sep 19 16:28:14 bonnie charon: 10[AUD] initiating IKE_SA 'bonnie_psk_clyde'
to 9.11.237.67
Sep 19 16:28:14 bonnie charon: 10[IKE] IKE_SA 'bonnie_psk_clyde' state
change: CREATED => CONNECTING
Sep 19 16:28:14 bonnie charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_D_IP) N(NATD_S_IP) ]
Sep 19 16:28:14 bonnie charon: 10[NET] sending packet: from 9.11.237.60[500]
to 9.11.237.67[500]
Sep 19 16:28:14 bonnie charon: 11[NET] received packet: from
9.11.237.67[500] to 9.11.237.60[500]
Sep 19 16:28:14 bonnie charon: 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
Sep 19 16:28:14 bonnie charon: 11[IKE] authentication of '9.11.237.60'
(myself) with pre-shared key
Sep 19 16:28:14 bonnie charon: 11[AUD] establishing CHILD_SA
Sep 19 16:28:14 bonnie charon: 11[AUD] establishing CHILD_SA
Sep 19 16:28:14 bonnie charon: 11[ENC] generating IKE_AUTH request 1 [ IDi
IDr AUTH SA TSi TSr ]
Sep 19 16:28:14 bonnie charon: 11[NET] sending packet: from 9.11.237.60[500]
to 9.11.237.67[500]
Sep 19 16:28:14 bonnie charon: 12[NET] received packet: from
9.11.237.67[500] to 9.11.237.60[500]
Sep 19 16:28:14 bonnie charon: 12[ENC] parsed IKE_AUTH response 1 [ IDr AUTH
SA TSi TSr N(AUTH_LFT) ]
Sep 19 16:28:14 bonnie charon: 12[IKE] authentication of '9.11.237.67' with
pre-shared key successful
Sep 19 16:28:14 bonnie charon: 12[IKE] IKE_SA 'bonnie_psk_clyde' state
change: CONNECTING => ESTABLISHED
Sep 19 16:28:14 bonnie charon: 12[IKE] scheduling reauthentication in 112s
Sep 19 16:28:14 bonnie charon: 12[IKE] maximum IKE_SA lifetime 117s
Sep 19 16:28:14 bonnie charon: 12[AUD] IKE_SA 'bonnie_psk_clyde' established
between 9.11.237.60[9.11.237.60]...[9.11.237.67]9.11.237.67
Sep 19 16:28:14 bonnie charon: 12[AUD] IKE_SA 'bonnie_psk_clyde' established
between 9.11.237.60[9.11.237.60]...[9.11.237.67]9.11.237.67
Sep 19 16:28:14 bonnie charon: 12[AUD] CHILD_SA 'bonnie_psk_clyde'
established successfully
Sep 19 16:28:14 bonnie charon: 12[AUD] CHILD_SA 'bonnie_psk_clyde'
established successfully
Sep 19 16:28:14 bonnie charon: 12[IKE] received AUTH_LIFETIME of 112s,
scheduling reauthentication in 107s
Sep 19 16:28:14 bonnie charon: 13[IKE] reestablishing IKE_SA due address
change
<---------------------------------------- ????
Sep 19 16:28:14 bonnie charon: 13[IKE] IKE_SA 'bonnie_psk_clyde' state
change: ESTABLISHED => DELETING
Sep 19 16:28:14 bonnie charon: 13[ENC] generating INFORMATIONAL request 2 [
D ]
Sep 19 16:28:14 bonnie charon: 13[NET] sending packet: from 9.11.237.60[500]
to 9.11.237.67[500]
Sep 19 16:28:14 bonnie charon: 14[NET] received packet: from
9.11.237.67[500] to 9.11.237.60[500]
Sep 19 16:28:14 bonnie charon: 14[ENC] parsed INFORMATIONAL response 2 [ ]
Sep 19 16:28:14 bonnie charon: 14[AUD] initiating IKE_SA 'bonnie_psk_clyde'
to 9.11.237.67
Sep 19 16:28:14 bonnie charon: 14[AUD] initiating IKE_SA 'bonnie_psk_clyde'
to 9.11.237.67
Sep 19 16:28:14 bonnie charon: 14[IKE] IKE_SA 'bonnie_psk_clyde' state
change: CREATED => CONNECTING
Sep 19 16:28:14 bonnie charon: 14[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_D_IP) N(NATD_S_IP) ]
Sep 19 16:28:14 bonnie charon: 14[NET] sending packet: from 9.11.237.60[500]
to 9.11.237.67[500]
Sep 19 16:28:15 bonnie charon: 04[NET] received packet: from
9.11.237.67[500] to 9.11.237.60[500]
Sep 19 16:28:15 bonnie charon: 04[ENC] parsed IKE_SA_INIT response 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
Sep 19 16:28:15 bonnie charon: 04[IKE] authentication of '9.11.237.60'
(myself) with pre-shared key
Sep 19 16:28:15 bonnie charon: 04[AUD] establishing CHILD_SA
Sep 19 16:28:15 bonnie charon: 04[AUD] establishing CHILD_SA
Sep 19 16:28:15 bonnie charon: 04[ENC] generating IKE_AUTH request 1 [ IDi
IDr AUTH SA TSi TSr ]
Sep 19 16:28:15 bonnie charon: 04[NET] sending packet: from 9.11.237.60[500]
to 9.11.237.67[500]
Sep 19 16:28:15 bonnie charon: 05[IKE] reestablishing IKE_SA due address
change
...
 IKE_SA keeps cycling from
CREATED=>CONNECTING=>ESTABLISHED=>DELETING=>CREATED...

When I typed "type=transport" or make the same configuration between hosts
that are not under same gateway, the connection could be established
normally.

I have some knowledge that transport mode required IPSec AH/ESP headers be
integrated into IP while tunnel mode encapsulated the whole original IP
datagram then add a new IP header,
but I still have no idea why in tunnel mode the messages log will display
"reestablishing IKE_SA due address change". Is it working as design? And
could you explain how the address has
been changed? Thanks a lot.

Best regards,
Xudong
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110920/69f5c5cd/attachment.html>

More information about the Users mailing list