[strongSwan] SA establishment is trigerred by icmp traffic, when the rule is added for udp
divya mohan
divzsecondary at gmail.com
Tue Apr 24 07:54:23 CEST 2012
Hi,
I have established a VPN tunnel for UDP protocol between 2 hosts.
The SPD entry from initiator:
-----------------------------------------------------------------------
# setkey -DP
40.0.0.1[any] 40.0.0.2[any] udp
in priority=2678 index=0x00000378 ipsec
esp/tunnel/40.0.0.1-40.0.0.2/unique:1
created: Apr 24 08:40:36 2012 lastused:
lifetime: 0(s) validtime: 0(s)
spid=0x378 seq=1 pid=8728
refcnt=2
vrfid=0 linkvrfid=0
40.0.0.2[any] 40.0.0.1[any] udp
out priority=2678 index=0x00000371 ipsec
esp/tunnel/40.0.0.2-40.0.0.1/unique:1
created: Apr 24 08:40:36 2012 lastused:
lifetime: 0(s) validtime: 0(s)
spid=0x371 seq=2 pid=8728
refcnt=2
vrfid=0 linkvrfid=0
-----------------------------------------------------------------------
Now between these hosts, I am sending ICMP traffic.
>From the tcpdump, I can see that packets are not encapsulated.
However, SA entry is getting created on both hosts.
After sending ICMP traffic, the SA entry created:
------------------------------------------------------------------------------------------------------
# setkey -D
40.0.0.2 40.0.0.1
esp mode=tunnel spi=3347534451(0xc7875273) reqid=1(0x00000001)
E: 3des-cbc 77ad598c a555de40 ab0a4abc 662b05c3 b9bdaac7 4674b1fc
A: hmac-md5 a29338a5 f5b6594f a892d40d 239bb768
seq=0x00000000 replay=32 flags=0x11000000 state=mature
created: Apr 24 08:41:28 2012 current: Apr 24 08:41:55 2012
diff: 27(s) hard: 60(s) soft: 50(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=8741 refcnt=0
vrfid=0 xvrfid=0
40.0.0.1 40.0.0.2
esp mode=tunnel spi=3328157912(0xc65fa8d8) reqid=1(0x00000001)
E: 3des-cbc 4f8498ba 9457b154 af4bf8da 5ca7427e 6c96e252 8916d550
A: hmac-md5 f4efe136 b9f08f15 b3e1afc8 0305a776
seq=0x00000000 replay=32 flags=0x10000000 state=mature
created: Apr 24 08:41:28 2012 current: Apr 24 08:41:55 2012
diff: 27(s) hard: 60(s) soft: 49(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=8741 refcnt=0
vrfid=0 xvrfid=0
------------------------------------------------------------------------------------------------------
>From the charon logs of the initiator, I can see that XFRM ACQUIRE
message is being sent to charon when ICMP traffic is sent.
-----------------------------------------------------------------------
Apr 24 08:41:26.863523 info charon: 02[KNL] received a XFRM_MSG_ACQUIRE
Apr 24 08:41:26.907448 info charon: 02[KNL] creating acquire job for
policy 40.0.0.2/32[udp/55254] === 40.0.0.1/32[udp/blackjack] with
reqid {1}
Apr 24 08:41:26.930621 info charon: 14[MGR] created IKE_SA
-----------------------------------------------------------------------
Is this normal?
Why is SA getting created by ICMP traffic, when the rule is added only
for UDP traffic?
Regards,
Divya
More information about the Users
mailing list