[strongSwan] Packets are getting dropped after IPsec service has been stopped in Strongswan.

Anonymous cross anonymouscross at gmail.com
Wed May 2 16:45:51 CEST 2012 

Hi All,
  I formed a site-site tunnel between router1 and router2.  I have stopped
ipsec service (ipsec stop) on router2.
After IPsec service has been stopped , packets are getting dropped on
router1 and its not reaching router2.

Please find configuration and the logs below.
*Router1
++++++*
conn fqdn2_strongwantostrongswan
    type=tunnel
    keyexchange=ikev1
    left=%defaultroute
    leftid=@cross at tos.com
    right=172.31.114.227
    leftsubnet=0.0.0.0/0
    auth=esp
    authby=secret
    rekey=yes
    auto=add

*Router2
++++++
Ipsec.conf
*
conn fqdn2_stronswantostrongswan
    type=tunnel
    keyexchange=ikev1
    left=172.31.114.227
    right=%any
    rightid=@cross at tos.com
    auth=esp
    authby=secret
    rekey=no
    auto=add
*
Router 1 logs
++++++++++*
[root at localhost LR]# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 4.6.2 IPsec [starter]...
[root at localhost LR]# ipsec up fqdn2_strongwantostrongswan
002 "fqdn2_strongwantostrongswan" #1: initiating Main Mode
102 "fqdn2_strongwantostrongswan" #1: STATE_MAIN_I1: initiate
003 "fqdn2_strongwantostrongswan" #1: received Vendor ID payload
[strongSwan]
003 "fqdn2_strongwantostrongswan" #1: ignoring Vendor ID payload
[Cisco-Unity]
003 "fqdn2_strongwantostrongswan" #1: received Vendor ID payload [XAUTH]
003 "fqdn2_strongwantostrongswan" #1: received Vendor ID payload [Dead Peer
Detection]
003 "fqdn2_strongwantostrongswan" #1: received Vendor ID payload [RFC 3947]
002 "fqdn2_strongwantostrongswan" #1: enabling possible NAT-traversal with
method 3
104 "fqdn2_strongwantostrongswan" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "fqdn2_strongwantostrongswan" #1: NAT-Traversal: Result using RFC 3947:
no NAT detected
106 "fqdn2_strongwantostrongswan" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "fqdn2_strongwantostrongswan" #1: Peer ID is ID_IPV4_ADDR:
'172.31.114.227'
002 "fqdn2_strongwantostrongswan" #1: ISAKMP SA established
004 "fqdn2_strongwantostrongswan" #1: STATE_MAIN_I4: ISAKMP SA established
002 "fqdn2_strongwantostrongswan" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
110 "fqdn2_strongwantostrongswan" #2: STATE_QUICK_I1: initiate
002 "fqdn2_strongwantostrongswan" #2: sent QI2, IPsec SA established
{ESP=>0xce188de5 <0xcb088978}
004 "fqdn2_strongwantostrongswan" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established {ESP=>0xce188de5 <0xcb088978}
[root at localhost LR]#
[root at localhost LR]#
[root at localhost LR]#
[root at localhost LR]#
[root at localhost LR]#
[root at localhost LR*]# tail -f /var/log/secure*
May  2 20:31:27 localhost pluto[870]: "fqdn2_strongwantostrongswan" #1:
received Vendor ID payload [RFC 3947]
May  2 20:31:27 localhost pluto[870]: "fqdn2_strongwantostrongswan" #1:
enabling possible NAT-traversal with method 3
May  2 20:31:27 localhost pluto[870]: "fqdn2_strongwantostrongswan" #1:
NAT-Traversal: Result using RFC 3947: no NAT detected
May  2 20:31:27 localhost pluto[870]: "fqdn2_strongwantostrongswan" #1:
Peer ID is ID_IPV4_ADDR: '172.31.114.227'
May  2 20:31:27 localhost pluto[870]: "fqdn2_strongwantostrongswan" #1:
ISAKMP SA established
May  2 20:31:27 localhost pluto[870]: "fqdn2_strongwantostrongswan" #2:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
May  2 20:31:27 localhost pluto[870]: "fqdn2_strongwantostrongswan" #2:
sent QI2, IPsec SA established {ESP=>0xce188de5 <0xcb088978}
May  2 20:32:55 localhost pluto[870]: "fqdn2_strongwantostrongswan" #1:
received Delete SA payload: replace IPSEC State #2 in 10 seconds
May  2 20:32:55 localhost pluto[870]: "fqdn2_strongwantostrongswan" #1:
received Delete SA payload: deleting ISAKMP State #1
May  2 20:33:05 localhost pluto[870]: "fqdn2_strongwantostrongswan" #3:
initiating Main Mode
[root at localhost LR]#
[root at localhost LR]#* ip xfrm state*
[root at localhost LR]#
[root at localhost LR]*# tail -f /var/log/secure*
May  2 20:31:27 localhost pluto[870]: "fqdn2_strongwantostrongswan" #1:
enabling possible NAT-traversal with method 3
May  2 20:31:27 localhost pluto[870]: "fqdn2_strongwantostrongswan" #1:
NAT-Traversal: Result using RFC 3947: no NAT detected
May  2 20:31:27 localhost pluto[870]: "fqdn2_strongwantostrongswan" #1:
Peer ID is ID_IPV4_ADDR: '172.31.114.227'
May  2 20:31:27 localhost pluto[870]: "fqdn2_strongwantostrongswan" #1:
ISAKMP SA established
May  2 20:31:27 localhost pluto[870]: "fqdn2_strongwantostrongswan" #2:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
May  2 20:31:27 localhost pluto[870]: "fqdn2_strongwantostrongswan" #2:
sent QI2, IPsec SA established {ESP=>0xce188de5 <0xcb088978}
May  2 20:32:55 localhost pluto[870]: "fqdn2_strongwantostrongswan" #1:
received Delete SA payload: replace IPSEC State #2 in 10 seconds
May  2 20:32:55 localhost pluto[870]: "fqdn2_strongwantostrongswan" #1:
received Delete SA payload: deleting ISAKMP State #1
May  2 20:33:05 localhost pluto[870]: "fqdn2_strongwantostrongswan" #3:
initiating Main Mode
May  2 20:33:15 localhost pluto[870]: "fqdn2_strongwantostrongswan" #2:
IPsec SA expired (LATEST!)

[root at localhost LR]#* ip xfrm policy*
src 172.31.114.226/32 dst 172.31.114.227/32
    dir out priority 3843 ptype main
    tmpl src 0.0.0.0 dst 0.0.0.0
        proto esp reqid 0 mode transport
src 172.31.114.227/32 dst 172.31.114.226/32
    dir fwd priority 1795 ptype main
    tmpl src 172.31.114.227 dst 172.31.114.226
        proto esp reqid 16388 mode tunnel
src 172.31.114.227/32 dst 172.31.114.226/32
    dir in priority 1795 ptype main
    tmpl src 172.31.114.227 dst 172.31.114.226
        proto esp reqid 16388 mode tunnel
src ::/0 dst ::/0
   dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    dir 3 priority 0 ptype main

*Router2 logs
++++++++++*
[root at uxcasxxx Cassidian_RBP_dev]#
[root at uxcasxxx Cassidian_RBP_dev]# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 4.6.2 IPsec [starter]...
[root at uxcasxxx Cassidian_RBP_dev]#
[root at uxcasxxx Cassidian_RBP_dev]#
[root at uxcasxxx Cassidian_RBP_dev]#
[root at uxcasxxx Cassidian_RBP_dev]#
[root at uxcasxxx Cassidian_RBP_dev]#
[root at uxcasxxx Cassidian_RBP_dev]#
[root at uxcasxxx Cassidian_RBP_dev]# tail -f /var/log/secure
May  2 18:09:51 uxcasxxx pluto[25047]: packet from 172.31.114.226:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
May  2 18:09:51 uxcasxxx pluto[25047]: packet from 172.31.114.226:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
May  2 18:09:51 uxcasxxx pluto[25047]: packet from 172.31.114.226:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
May  2 18:09:51 uxcasxxx pluto[25047]: packet from 172.31.114.226:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
May  2 18:09:51 uxcasxxx pluto[25047]: "fqdn2_stronswantostrongswan"[1]
172.31.114.226 #1: responding to Main Mode from unknown peer 172.31.114.226
May  2 18:09:51 uxcasxxx pluto[25047]: "fqdn2_stronswantostrongswan"[1]
172.31.114.226 #1: NAT-Traversal: Result using RFC 3947: no NAT detected
May  2 18:09:51 uxcasxxx pluto[25047]: "fqdn2_stronswantostrongswan"[1]
172.31.114.226 #1: Peer ID is ID_FQDN: 'cross at tos.com'
May  2 18:09:51 uxcasxxx pluto[25047]: "fqdn2_stronswantostrongswan"[1]
172.31.114.226 #1: sent MR3, ISAKMP SA established
May  2 18:09:51 uxcasxxx pluto[25047]: "fqdn2_stronswantostrongswan"[1]
172.31.114.226 #2: responding to Quick Mode
May  2 18:09:52 uxcasxxx pluto[25047]: "fqdn2_stronswantostrongswan"[1]
172.31.114.226 #2: IPsec SA established {ESP=>0xcb088978 <0xce188de5}
^C
[root at uxcasxxx Cassidian_RBP_dev]# ipsec stop
Stopping strongSwan IPsec...
*[root at uxcasxxx Cassidian_RBP_dev]# ip xfrm state
[root at uxcasxxx Cassidian_RBP_dev]# ip xfrm policy
*

-- 
Regards,
Anonymous cross.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120502/1a2d125f/attachment.html>

More information about the Users mailing list