[strongSwan] SAD and SPD are not deleted properly on getting delete payload from Peer for Ikev2

Anonymous cross anonymouscross at gmail.com
Tue May 8 21:41:14 CEST 2012


Hi Friends,
   We formed a site-site IPSec tunnel between Cisco and Strongswan using
IKEv2

Router1(Ciso) ------------- Router2(Strongswan)

I stopped IPsec service in Cisco and its sending delete payload to
Strongswan. But Strongswan is  not deleting the SAD and SPD properly, it
lingers in Kernel.  Please help me out on this.
Please find the configurations and logs below

ipsec.conf
___________
config setup
          plutostart=yes
          plutodebug=all
          charonstart=yes
          charondebug=all
          nat_traversal=yes
          crlcheckinterval=10m
          strictcrlpolicy=no

conn %default
        ikelifetime=15m
        keylife=2m
        keyingtries=1

conn fqdn_vr
    type=tunnel
    keyexchange=ikev1
    left=172.31.114.227
    right=%any
    rightsubnet=0.0.0.0/0
    rightid=divya at cas.com
    auth=esp
    authby=secret
    pfs=no
    rekey=no
    auto=add

*Logs*
++++++
*/var/log/messages*
___________
May  9 00:41:53 uxcasxxx charon: 12[CFG] received stroke: add connection
'fqdn_vr'
May  9 00:41:53 uxcasxxx charon: 12[CFG] added configuration 'fqdn_vr'
May  9 00:42:10 uxcasxxx charon: 15[NET] received packet: from
172.31.114.211[500] to 172.31.114.227[500]
May  9 00:42:10 uxcasxxx charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
May  9 00:42:10 uxcasxxx charon: 15[IKE] 172.31.114.211 is initiating an
IKE_SA
May  9 00:42:10 uxcasxxx charon: 15[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan CA"
May  9 00:42:10 uxcasxxx charon: 15[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May  9 00:42:10 uxcasxxx charon: 15[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
May  9 00:42:10 uxcasxxx charon: 07[NET] received packet: from
172.31.114.211[500] to 172.31.114.227[500]
May  9 00:42:10 uxcasxxx charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi
AUTH SA TSi TSr ]
May  9 00:42:10 uxcasxxx charon: 07[CFG] looking for peer configs matching
172.31.114.227[%any]...172.31.114.211[divya at cas.com]
May  9 00:42:10 uxcasxxx charon: 07[CFG] selected peer config 'fqdn_vr'
May  9 00:42:10 uxcasxxx charon: 07[IKE] authentication of 'divya at cas.com'
with pre-shared key successful
May  9 00:42:10 uxcasxxx charon: 07[IKE] authentication of '172.31.114.227'
(myself) with pre-shared key
May  9 00:42:10 uxcasxxx charon: 07[IKE] IKE_SA fqdn_vr[1] established
between 172.31.114.227[172.31.114.227]...172.31.114.211[divya at cas.com]
May  9 00:42:10 uxcasxxx charon: 07[IKE] CHILD_SA fqdn_vr{1} established
with SPIs c307376c_i 7ac0291f_o and TS 172.31.114.227/32 === 0.0.0.0/0
May  9 00:42:10 uxcasxxx charon: 07[ENC] generating IKE_AUTH response 1 [
IDr AUTH SA TSi TSr ]
May  9 00:42:10 uxcasxxx charon: 07[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
May  9 00:42:42 uxcasxxx charon: 08[NET] received packet: from
172.31.114.211[500] to 172.31.114.227[500]
May  9 00:42:42 uxcasxxx charon: 08[ENC] parsed INFORMATIONAL request 1 [ D
]
May  9 00:42:42 uxcasxxx charon: 08[IKE] received retransmit of request
with ID 1, retransmitting response
May  9 00:42:42 uxcasxxx charon: 08[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
May  9 00:42:42 uxcasxxx charon: 10[NET] received packet: from
172.31.114.211[500] to 172.31.114.227[500]
May  9 00:42:42 uxcasxxx charon: 10[ENC] parsed IKE_AUTH response 1 [
N(TS_UNACCEPT) ]
May  9 00:42:42 uxcasxxx charon: 10[IKE] received message ID 1, expected 0.
Ignored
*
/var/log/secure
__________*
May  9 00:41:53 uxcasxxx pluto[4608]: certificate is invalid (valid from
Mar 28 19:21:50 2012 to Apr 27 19:21:50 2012)
May  9 00:41:53 uxcasxxx pluto[4608]: added connection description
"cisco-vpn"
May  9 00:41:53 uxcasxxx pluto[4608]: | 0.0.0.0/0===172.31.114.227[C=CH,
O=strongSwan, CN=strongswan]...%any[C=CH, O=strongSwan, CN=*]===%addrpool
May  9 00:41:53 uxcasxxx pluto[4608]: | ike_life: 900s; ipsec_life: 120s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy:
ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER
May  9 00:41:53 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
3600 seconds
May  9 00:41:53 uxcasxxx pluto[4608]: |
May  9 00:41:53 uxcasxxx pluto[4608]: | *received whack message
May  9 00:41:53 uxcasxxx pluto[4608]: | from whack: got
--esp=aes128-sha1,3des-sha1
May  9 00:41:53 uxcasxxx pluto[4608]: | esp alg added:
AES_CBC_128/HMAC_SHA1, cnt=1
May  9 00:41:53 uxcasxxx pluto[4608]: | esp alg added:
3DES_CBC_0/HMAC_SHA1, cnt=2
May  9 00:41:53 uxcasxxx pluto[4608]: | esp proposal:
AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1,
May  9 00:41:53 uxcasxxx pluto[4608]: | from whack: got
--ike=aes128-sha1-modp2048,3des-sha1-modp1536
May  9 00:41:53 uxcasxxx pluto[4608]: | ikg alg added:
AES_CBC_128/HMAC_SHA1/MODP_2048, cnt=1
May  9 00:41:53 uxcasxxx pluto[4608]: | ikg alg added:
3DES_CBC_0/HMAC_SHA1/MODP_1536, cnt=2
May  9 00:41:53 uxcasxxx pluto[4608]: | ike proposal:
AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
May  9 00:41:53 uxcasxxx pluto[4608]: added connection description "fqdn_vr"
May  9 00:41:53 uxcasxxx pluto[4608]: |
172.31.114.227[172.31.114.227]...%any[divya at cas.com]===0.0.0.0/0
May  9 00:41:53 uxcasxxx pluto[4608]: | ike_life: 900s; ipsec_life: 120s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy:
PSK+ENCRYPT+TUNNEL+DONTREKEY
May  9 00:42:10 uxcasxxx charon: 15[IKE] 172.31.114.211 is initiating an
IKE_SA
May  9 00:42:10 uxcasxxx pluto[4608]: |   ignoring IKEv2 packet
May  9 00:42:10 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
3583 seconds
May  9 00:42:10 uxcasxxx pluto[4608]: |  ignoring IKEv2 packet
May  9 00:42:10 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
3583 seconds
May  9 00:42:10 uxcasxxx charon: 07[IKE] IKE_SA fqdn_vr[1] established
between 172.31.114.227[172.31.114.227]...172.31.114.211[divya at cas.com]
May  9 00:42:10 uxcasxxx charon: 07[IKE] CHILD_SA fqdn_vr{1} established
with SPIs c307376c_i 7ac0291f_o and TS 172.31.114.227/32 === 0.0.0.0/0
May  9 00:42:42 uxcasxxx pluto[4608]: |
May  9 00:42:42 uxcasxxx pluto[4608]: | *received 76 bytes from
172.31.114.211:500 on eth0
May  9 00:42:42 uxcasxxx pluto[4608]: |   4f 8e 1c 6f  03 97 b8 91  29 53
9d 90  9e 9e 93 2c
May  9 00:42:42 uxcasxxx pluto[4608]: |   2e 20 25 08  00 00 00 01  00 00
00 4c  2a 00 00 30
May  9 00:42:42 uxcasxxx pluto[4608]: |   53 58 ed 96  c4 69 2b db  27 43
a8 2f  19 61 e7 a0
May  9 00:42:42 uxcasxxx pluto[4608]: |   83 e8 2e 8f  e4 24 05 3b  ef bb
28 f7  95 a1 8b 13
May  9 00:42:42 uxcasxxx pluto[4608]: |   e9 7f 85 d4  c7 52 38 5c  17 bc
18 f9
May  9 00:42:42 uxcasxxx pluto[4608]: |   ignoring IKEv2 packet
May  9 00:42:42 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
3551 seconds
May  9 00:42:42 uxcasxxx pluto[4608]: |
May  9 00:42:42 uxcasxxx pluto[4608]: | *received 76 bytes from
172.31.114.211:500 on eth0
May  9 00:42:42 uxcasxxx pluto[4608]: |   4f 8e 1c 6f  03 97 b8 91  29 53
9d 90  9e 9e 93 2c
May  9 00:42:42 uxcasxxx pluto[4608]: |   2e 20 23 28  00 00 00 01  00 00
00 4c  29 00 00 30
May  9 00:42:42 uxcasxxx pluto[4608]: |   83 e8 2e 8f  e4 24 05 3b  ef bb
28 f7  95 a1 8b 13
May  9 00:42:42 uxcasxxx pluto[4608]: |   55 33 20 fe  72 3d 17 cb  d7 85
66 c3  0c fd 61 5f
May  9 00:42:42 uxcasxxx pluto[4608]: |   3d 2c b0 cb  0a 53 71 1c  8a d1
e7 e3
May  9 00:42:42 uxcasxxx pluto[4608]: |   ignoring IKEv2 packet
May  9 00:42:42 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
3551 seconds


-- 
Regards,
Anonymous cross.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120509/97bb118b/attachment.html>


More information about the Users mailing list