[strongSwan] Strongswan 4.5.1 Sqlite database not updated until ipsec is restarted

CETIAD - Fabrice Barconnière fabrice.barconniere at ac-dijon.fr
Tue Sep 20 14:45:23 CEST 2011 

Hi,

After some changes, database is not reloaded in memory.
If i suppress a connection in database, ipsec statusall always shows it 
even after ipsec down.
If i add a connection in database, ipsec statusall doesn't show the new 
connection and ipsec up "amon-conteneur-sphynxtestha1" returns:
no config named 'amon-conteneur-sphynxtestha1'

Is there a way to reload or reread database or flush database cache 
without restarting ipsec ?
I've executed these commands before ipsec up with no success:
ipsec update
ipsec reload
ipsec update
ipsec purgeike

Here is a log example with certificate change on one peer_config:

*amon-conteneur's log during ipsec start:

Sep 20 13:47:53 amon-conteneur charon: 00[DMN] Starting IKEv2 charon 
daemon (strongSwan 4.5.1)
Sep 20 13:47:53 amon-conteneur charon: 00[CFG] loading ca certificates 
from '/etc/ipsec.d/cacerts'
Sep 20 13:47:53 amon-conteneur charon: 00[CFG] loading aa certificates 
from '/etc/ipsec.d/aacerts'
Sep 20 13:47:53 amon-conteneur charon: 00[CFG] loading ocsp signer 
certificates from '/etc/ipsec.d/ocspcerts'
Sep 20 13:47:53 amon-conteneur charon: 00[CFG] loading attribute 
certificates from '/etc/ipsec.d/acerts'
Sep 20 13:47:53 amon-conteneur charon: 00[CFG] loading crls from 
'/etc/ipsec.d/crls'
Sep 20 13:47:53 amon-conteneur charon: 00[CFG] loading secrets from 
'/etc/ipsec.secrets'
Sep 20 13:47:53 amon-conteneur charon: 00[CFG] expanding file expression 
'/var/lib/strongswan/ipsec.secrets.inc' failed
Sep 20 13:47:53 amon-conteneur charon: 00[KNL] listening on interfaces:
Sep 20 13:47:53 amon-conteneur charon: 00[KNL]   eth0
Sep 20 13:47:53 amon-conteneur charon: 00[KNL]     192.168.0.7
Sep 20 13:47:53 amon-conteneur charon: 00[KNL]   eth1
Sep 20 13:47:53 amon-conteneur charon: 00[KNL]     10.21.12.1
Sep 20 13:47:53 amon-conteneur charon: 00[KNL]   eth2
Sep 20 13:47:53 amon-conteneur charon: 00[KNL]     172.16.0.1
Sep 20 13:47:53 amon-conteneur charon: 00[KNL]   eth3
Sep 20 13:47:53 amon-conteneur charon: 00[KNL]     10.121.12.1
Sep 20 13:47:53 amon-conteneur charon: 00[KNL]   br0
Sep 20 13:47:53 amon-conteneur charon: 00[KNL]     192.0.2.1
Sep 20 13:47:53 amon-conteneur charon: 00[KNL]   veinternet
Sep 20 13:47:53 amon-conteneur charon: 00[DMN] loaded plugins: aes sha1 
sha2 hmac gmp random pubkey pem x509 revocation curl pkcs1 stroke sqlite 
sql updown kernel-netlink socket-raw
Sep 20 13:47:53 amon-conteneur charon: 00[JOB] spawning 16 worker threads
Sep 20 13:47:53 amon-conteneur charon: 07[JOB] start action: initiate 
'reseau_eth1-admin'
Sep 20 13:47:53 amon-conteneur charon: 07[IKE] initiating IKE_SA 
amon-conteneur-sphynxtestha1[1] to 192.168.0.16
Sep 20 13:47:53 amon-conteneur charon: 07[ENC] generating IKE_SA_INIT 
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Sep 20 13:47:53 amon-conteneur charon: 07[NET] sending packet: from 
192.168.0.7[500] to 192.168.0.16[500]
Sep 20 13:47:53 amon-conteneur charon: 07[JOB] start action: initiate 
'reseau_172-admin'
Sep 20 13:47:53 amon-conteneur charon: 08[NET] received packet: from 
192.168.0.16[500] to 192.168.0.7[500]
Sep 20 13:47:53 amon-conteneur charon: 08[ENC] parsed IKE_SA_INIT 
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Sep 20 13:47:53 amon-conteneur charon: 08[IKE] received cert request for 
"C=fr, O=gouv, CN=RACINE AGRIATES"
Sep 20 13:47:53 amon-conteneur charon: 08[IKE] received 1 cert requests 
for an unknown ca
Sep 20 13:47:53 amon-conteneur charon: 08[IKE] sending cert request for 
"C=fr, O=gouv, OU=education, OU=ac-dijon, CN=CA-sun-RVP"
Sep 20 13:47:53 amon-conteneur charon: 08[IKE] sending cert request for 
"C=fr, O=gouv, CN=RACINE AGRIATES"
Sep 20 13:47:53 amon-conteneur charon: 08[IKE] authentication of 'C=fr, 
O=gouv, OU=education, OU=ac-dijon, CN=amon_conteneur' (myself) with RSA 
signature successful
Sep 20 13:47:53 amon-conteneur charon: 08[IKE] sending end entity cert 
"C=fr, O=gouv, OU=education, OU=ac-dijon, CN=amon_conteneur"
Sep 20 13:47:53 amon-conteneur charon: 08[IKE] establishing CHILD_SA 
reseau_eth1-admin
Sep 20 13:47:53 amon-conteneur charon: 08[ENC] generating IKE_AUTH 
request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr 
N(EAP_ONLY) ]
Sep 20 13:47:53 amon-conteneur charon: 08[NET] sending packet: from 
192.168.0.7[500] to 192.168.0.16[500]
Sep 20 13:47:53 amon-conteneur charon: 09[NET] received packet: from 
192.168.0.16[500] to 192.168.0.7[500]
Sep 20 13:47:53 amon-conteneur charon: 09[ENC] parsed IKE_SA_INIT 
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Sep 20 13:47:53 amon-conteneur charon: 09[IKE] received message ID 0, 
expected 1. Ignored
Sep 20 13:47:53 amon-conteneur charon: 10[NET] received packet: from 
192.168.0.16[500] to 192.168.0.7[500]
Sep 20 13:47:53 amon-conteneur charon: 10[ENC] parsed IKE_AUTH response 
1 [ N(AUTH_FAILED) ]
Sep 20 13:47:53 amon-conteneur charon: 10[IKE] received 
AUTHENTICATION_FAILED notify error


*sun's log during ipsec start on amon-conteneur (no ipsec restart on 
sun) and after database changes (change a peer certificate):
(sun has a lot of other peer-config which can't be down during this 
operation)

Sep 20 13:48:14 sun charon: 14[NET] received packet: from 
192.168.0.7[500] to 192.168.0.16[500]
Sep 20 13:48:14 sun charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE 
No N(NATD_S_IP) N(NATD_D_IP) ]
Sep 20 13:48:14 sun charon: 13[NET] received packet: from 
192.168.0.7[500] to 192.168.0.16[500]
Sep 20 13:48:14 sun charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE 
No N(NATD_S_IP) N(NATD_D_IP) ]
Sep 20 13:48:14 sun charon: 13[IKE] 192.168.0.7 is initiating an IKE_SA
Sep 20 13:48:14 sun charon: 14[IKE] 192.168.0.7 is initiating an IKE_SA
Sep 20 13:48:14 sun charon: 14[IKE] sending cert request for "C=fr, 
O=gouv, OU=education, OU=ac-dijon, CN=CA-sun-RVP"
Sep 20 13:48:14 sun charon: 14[IKE] sending cert request for "C=fr, 
O=gouv, CN=RACINE AGRIATES"
Sep 20 13:48:14 sun charon: 13[IKE] sending cert request for "C=fr, 
O=gouv, OU=education, OU=ac-dijon, CN=CA-sun-RVP"
Sep 20 13:48:14 sun charon: 14[ENC] generating IKE_SA_INIT response 0 [ 
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Sep 20 13:48:14 sun charon: 14[NET] sending packet: from 
192.168.0.16[500] to 192.168.0.7[500]
Sep 20 13:48:14 sun charon: 13[IKE] sending cert request for "C=fr, 
O=gouv, CN=RACINE AGRIATES"
Sep 20 13:48:14 sun charon: 13[ENC] generating IKE_SA_INIT response 0 [ 
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Sep 20 13:48:14 sun charon: 13[NET] sending packet: from 
192.168.0.16[500] to 192.168.0.7[500]
Sep 20 13:48:14 sun charon: 06[NET] received packet: from 
192.168.0.7[500] to 192.168.0.16[500]
Sep 20 13:48:14 sun charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi CERT 
N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
Sep 20 13:48:14 sun charon: 06[IKE] received cert request for "C=fr, 
O=gouv, CN=RACINE AGRIATES"
Sep 20 13:48:14 sun charon: 06[IKE] received 1 cert requests for an 
unknown ca
Sep 20 13:48:14 sun charon: 06[IKE] received end entity cert "C=fr, 
O=gouv, OU=education, OU=ac-dijon, CN=amon_conteneur"
Sep 20 13:48:14 sun charon: 06[CFG] looking for peer configs matching 
192.168.0.16[C=fr, O=gouv, OU=education, OU=ac-dijon, 
CN=sphynx]...192.168.0.7[C=fr, O=gouv, OU=education, OU=ac-dijon, 
CN=amon_conteneur]
Sep 20 13:48:14 sun charon: 06[CFG] no matching peer config found
Sep 20 13:48:14 sun charon: 06[ENC] generating IKE_AUTH response 1 [ 
N(AUTH_FAILED) ]
Sep 20 13:48:14 sun charon: 06[NET] sending packet: from 
192.168.0.16[500] to 192.168.0.7[500]

Regards
Fabrice

Le 20/09/2011 11:05, Martin Willi a écrit :
> Hi,
>
>> It seems when certificates is added or modified in database, it can't
>> be read until ipsec is restarted.
> Certificates are cached for performance reasons. Try "ipsec purgecerts"
> to flush the certificate cache and reread the certificate during the
> next authentication.
>
> Regards
> Martin
>
>

More information about the Users mailing list