[strongSwan] Charon hangs after failing to delete Rekeyed IPsec SAs

Mon Mar 19 14:48:53 CET 2012

Hi,

I am using strongswan 4.3.6
I have configured two peers to establish tunnel in tunnel mode.

Here is configuration in  ipsec.conf 

config setup
    strictcrlpolicy=no
    crlcheckinterval=180
    plutostart=yes
    charonstart=yes
    nat_traversal=yes

conn %default
    ikelifetime=10m
    keylife=5m
    rekeymargin=3m
    keyingtries=1

conn togw2-preshared-static
    left=172.17.10.1
    leftsubnet=192.168.1.0/24
    right=172.17.10.2
    rightsubnet=192.168.2.0/24
    authby=secret
    type=tunnel
    keyexchange=ikev2
    pfs=yes
    auto=route

ipsec.secrets configured with

172.17.10.1 172.17.10.2 : PSK "123456"

vice-versa in other gateway.

After re-keying happening for some time "ipsec statusall" shows too many redundant SAs

root at OpenWrt:/# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.3.6):
000 interface eth2/eth2 fec0::ef01:500
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 172.17.10.1:4500
000 interface eth0/eth0 172.17.10.1:500
000 interface eth2/eth2 192.168.1.1:4500
000 interface eth2/eth2 192.168.1.1:500
000 interface eth1/eth1 169.254.0.1:4500
000 interface eth1/eth1 169.254.0.1:500
000 interface ath0/ath0 192.168.3.1:4500
000 interface ath0/ath0 192.168.3.1:500
000 %myid = '%any'
000 loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl hmac gmp 
000 debug options: none
000 
000 192.168.1.5/32:1024 -> 192.168.2.5/32:1025 => %hold:17 0    %acquire-netlink
000 192.168.1.5/32:1024 -> 192.168.2.5/32:1025 => %hold:17 0    %acquire-netlink
000 192.168.1.5/32:1024 -> 192.168.2.5/32:1025 => %hold:17 0    %acquire-netlink
000 192.168.1.5/32:1024 -> 192.168.2.5/32:1025 => %hold:17 0    %acquire-netlink
000 192.168.1.5/32:1024 -> 192.168.2.5/32:1025 => %hold:17 0    %acquire-netlink
000 192.168.1.5/32:1024 -> 192.168.2.5/32:1025 => %hold:17 0    %acquire-netlink
000 192.168.1.5/32:1024 -> 192.168.2.5/32:1025 => %hold:17 0    %acquire-netlink
000 192.168.1.5/32:1024 -> 192.168.2.5/32:1025 => %hold:17 0    %acquire-netlink
000 
Status of IKEv2 charon daemon (strongSwan 4.3.6):
  uptime: 27 minutes, since Jan 01 00:02:35 1970
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 15
  loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl hmac gmp kernel-pfkey kernel-netlink stroke updown 
Listening IP addresses:
  172.17.10.1
  fec0::ee01
  192.168.1.1
  fec0::ef01
  169.254.0.1
  192.168.3.1
Connections:
     example:  172.17.10.1...172.17.10.2
     example:   local:  [172.17.10.1] uses pre-shared key authentication
     example:   remote: [172.17.10.2] uses any authentication
     example:   child:  192.168.1.0/24 === 192.168.2.0/24 
Routed Connections:
     example{1}:  ROUTED, TUNNEL
     example{1}:   192.168.1.0/24 === 192.168.2.0/24 
Security Associations:
     example[18]: ESTABLISHED 2 minutes ago, 172.17.10.1[172.17.10.1]...172.17.10.2[172.17.10.2]
     example[18]: IKE SPIs: dc59b91d11efff61_i* 6a7c9d0c4baa6fee_r, pre-shared key reauthentication in 69 seconds
     example[18]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     example{72}:  INSTALLED, TUNNEL, ESP SPIs: c1066824_i c8401578_o
     example{72}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
     example{72}:   192.168.1.0/24 === 192.168.2.0/24 
     example{69}:  INSTALLED, TUNNEL, ESP SPIs: c804f48d_i c7613ef6_o
     example{69}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
     example{69}:   192.168.1.0/24 === 192.168.2.0/24 
     example{68}:  INSTALLED, TUNNEL, ESP SPIs: c6c2bc8b_i c1492309_o
     example{68}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 35 seconds
     example{68}:   192.168.1.0/24 === 192.168.2.0/24 
     example{71}:  INSTALLED, TUNNEL, ESP SPIs: ca09c3c8_i c6e31f4f_o
     example{71}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
     example{71}:   192.168.1.0/24 === 192.168.2.0/24 
     example{67}:  INSTALLED, TUNNEL, ESP SPIs: cd291289_i ccc48799_o
     example{67}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 27 seconds
     example{67}:   192.168.1.0/24 === 192.168.2.0/24 
     example{1}:  DELETING, TUNNEL
     example{1}:   192.168.1.0/24 === 192.168.2.0/24 
     example{66}:  INSTALLED, TUNNEL, ESP SPIs: c6acaae5_i c803718c_o
     example{66}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 40 seconds
     example{66}:   192.168.1.0/24 === 192.168.2.0/24 
     example{70}:  INSTALLED, TUNNEL, ESP SPIs: c18acdfa_i c5521cc1_o
     example{70}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 31 seconds
     example{70}:   192.168.1.0/24 === 192.168.2.0/24 
     example{1}:  INSTALLED, TUNNEL, ESP SPIs: c09666dd_i c1eae11a_o
     example{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 106 seconds
     example{1}:   192.168.1.0/24 === 192.168.2.0/24 
     example[19]: ESTABLISHED 80 seconds ago, 172.17.10.1[172.17.10.1]...172.17.10.2[172.17.10.2]
     example[19]: IKE SPIs: 15f2e517955a7480_i ac3470318efa26c0_r*, pre-shared key reauthentication in 4 minutes
     example[19]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     example{74}:  INSTALLED, TUNNEL, ESP SPIs: c4392c72_i c6d9b5c0_o
     example{74}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
     example{74}:   192.168.1.0/24 === 192.168.2.0/24 
     example{77}:  INSTALLED, TUNNEL, ESP SPIs: c75c4ff1_i c32e1f5e_o
     example{77}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
     example{77}:   192.168.1.0/24 === 192.168.2.0/24 
     example{76}:  REKEYING, TUNNEL
     example{76}:   192.168.1.0/24 === 192.168.2.0/24 
     example{78}:  INSTALLED, TUNNEL, ESP SPIs: cf88ef64_i c9755fae_o
     example{78}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 67 seconds
     example{78}:   192.168.1.0/24 === 192.168.2.0/24 
     example{73}:  INSTALLED, TUNNEL, ESP SPIs: c3ee8fae_i c811062b_o
     example{73}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
     example{73}:   192.168.1.0/24 === 192.168.2.0/24 
     example{75}:  INSTALLED, TUNNEL, ESP SPIs: c36ae855_i c72457df_o
     example{75}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 41 seconds
     example{75}:   192.168.1.0/24 === 192.168.2.0/24 

Because of these redundant SAs which are trying to rekey again, after sometime charon hangs and sends corrupted/malformed messages, and traffic stops.

Please help.

Thanks,
Anand