[strongSwan] SAD and SPD are not deleted properly on getting delete payload from Peer for Ikev2
Anonymous cross
anonymouscross at gmail.com
Tue May 8 21:41:14 CEST 2012
Hi Friends,
We formed a site-site IPSec tunnel between Cisco and Strongswan using
IKEv2
Router1(Ciso) ------------- Router2(Strongswan)
I stopped IPsec service in Cisco and its sending delete payload to
Strongswan. But Strongswan is not deleting the SAD and SPD properly, it
lingers in Kernel. Please help me out on this.
Please find the configurations and logs below
ipsec.conf
___________
config setup
plutostart=yes
plutodebug=all
charonstart=yes
charondebug=all
nat_traversal=yes
crlcheckinterval=10m
strictcrlpolicy=no
conn %default
ikelifetime=15m
keylife=2m
keyingtries=1
conn fqdn_vr
type=tunnel
keyexchange=ikev1
left=172.31.114.227
right=%any
rightsubnet=0.0.0.0/0
rightid=divya at cas.com
auth=esp
authby=secret
pfs=no
rekey=no
auto=add
*Logs*
++++++
*/var/log/messages*
___________
May 9 00:41:53 uxcasxxx charon: 12[CFG] received stroke: add connection
'fqdn_vr'
May 9 00:41:53 uxcasxxx charon: 12[CFG] added configuration 'fqdn_vr'
May 9 00:42:10 uxcasxxx charon: 15[NET] received packet: from
172.31.114.211[500] to 172.31.114.227[500]
May 9 00:42:10 uxcasxxx charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
May 9 00:42:10 uxcasxxx charon: 15[IKE] 172.31.114.211 is initiating an
IKE_SA
May 9 00:42:10 uxcasxxx charon: 15[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan CA"
May 9 00:42:10 uxcasxxx charon: 15[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May 9 00:42:10 uxcasxxx charon: 15[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
May 9 00:42:10 uxcasxxx charon: 07[NET] received packet: from
172.31.114.211[500] to 172.31.114.227[500]
May 9 00:42:10 uxcasxxx charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi
AUTH SA TSi TSr ]
May 9 00:42:10 uxcasxxx charon: 07[CFG] looking for peer configs matching
172.31.114.227[%any]...172.31.114.211[divya at cas.com]
May 9 00:42:10 uxcasxxx charon: 07[CFG] selected peer config 'fqdn_vr'
May 9 00:42:10 uxcasxxx charon: 07[IKE] authentication of 'divya at cas.com'
with pre-shared key successful
May 9 00:42:10 uxcasxxx charon: 07[IKE] authentication of '172.31.114.227'
(myself) with pre-shared key
May 9 00:42:10 uxcasxxx charon: 07[IKE] IKE_SA fqdn_vr[1] established
between 172.31.114.227[172.31.114.227]...172.31.114.211[divya at cas.com]
May 9 00:42:10 uxcasxxx charon: 07[IKE] CHILD_SA fqdn_vr{1} established
with SPIs c307376c_i 7ac0291f_o and TS 172.31.114.227/32 === 0.0.0.0/0
May 9 00:42:10 uxcasxxx charon: 07[ENC] generating IKE_AUTH response 1 [
IDr AUTH SA TSi TSr ]
May 9 00:42:10 uxcasxxx charon: 07[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
May 9 00:42:42 uxcasxxx charon: 08[NET] received packet: from
172.31.114.211[500] to 172.31.114.227[500]
May 9 00:42:42 uxcasxxx charon: 08[ENC] parsed INFORMATIONAL request 1 [ D
]
May 9 00:42:42 uxcasxxx charon: 08[IKE] received retransmit of request
with ID 1, retransmitting response
May 9 00:42:42 uxcasxxx charon: 08[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
May 9 00:42:42 uxcasxxx charon: 10[NET] received packet: from
172.31.114.211[500] to 172.31.114.227[500]
May 9 00:42:42 uxcasxxx charon: 10[ENC] parsed IKE_AUTH response 1 [
N(TS_UNACCEPT) ]
May 9 00:42:42 uxcasxxx charon: 10[IKE] received message ID 1, expected 0.
Ignored
*
/var/log/secure
__________*
May 9 00:41:53 uxcasxxx pluto[4608]: certificate is invalid (valid from
Mar 28 19:21:50 2012 to Apr 27 19:21:50 2012)
May 9 00:41:53 uxcasxxx pluto[4608]: added connection description
"cisco-vpn"
May 9 00:41:53 uxcasxxx pluto[4608]: | 0.0.0.0/0===172.31.114.227[C=CH,
O=strongSwan, CN=strongswan]...%any[C=CH, O=strongSwan, CN=*]===%addrpool
May 9 00:41:53 uxcasxxx pluto[4608]: | ike_life: 900s; ipsec_life: 120s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy:
ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER
May 9 00:41:53 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
3600 seconds
May 9 00:41:53 uxcasxxx pluto[4608]: |
May 9 00:41:53 uxcasxxx pluto[4608]: | *received whack message
May 9 00:41:53 uxcasxxx pluto[4608]: | from whack: got
--esp=aes128-sha1,3des-sha1
May 9 00:41:53 uxcasxxx pluto[4608]: | esp alg added:
AES_CBC_128/HMAC_SHA1, cnt=1
May 9 00:41:53 uxcasxxx pluto[4608]: | esp alg added:
3DES_CBC_0/HMAC_SHA1, cnt=2
May 9 00:41:53 uxcasxxx pluto[4608]: | esp proposal:
AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1,
May 9 00:41:53 uxcasxxx pluto[4608]: | from whack: got
--ike=aes128-sha1-modp2048,3des-sha1-modp1536
May 9 00:41:53 uxcasxxx pluto[4608]: | ikg alg added:
AES_CBC_128/HMAC_SHA1/MODP_2048, cnt=1
May 9 00:41:53 uxcasxxx pluto[4608]: | ikg alg added:
3DES_CBC_0/HMAC_SHA1/MODP_1536, cnt=2
May 9 00:41:53 uxcasxxx pluto[4608]: | ike proposal:
AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
May 9 00:41:53 uxcasxxx pluto[4608]: added connection description "fqdn_vr"
May 9 00:41:53 uxcasxxx pluto[4608]: |
172.31.114.227[172.31.114.227]...%any[divya at cas.com]===0.0.0.0/0
May 9 00:41:53 uxcasxxx pluto[4608]: | ike_life: 900s; ipsec_life: 120s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy:
PSK+ENCRYPT+TUNNEL+DONTREKEY
May 9 00:42:10 uxcasxxx charon: 15[IKE] 172.31.114.211 is initiating an
IKE_SA
May 9 00:42:10 uxcasxxx pluto[4608]: | ignoring IKEv2 packet
May 9 00:42:10 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
3583 seconds
May 9 00:42:10 uxcasxxx pluto[4608]: | ignoring IKEv2 packet
May 9 00:42:10 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
3583 seconds
May 9 00:42:10 uxcasxxx charon: 07[IKE] IKE_SA fqdn_vr[1] established
between 172.31.114.227[172.31.114.227]...172.31.114.211[divya at cas.com]
May 9 00:42:10 uxcasxxx charon: 07[IKE] CHILD_SA fqdn_vr{1} established
with SPIs c307376c_i 7ac0291f_o and TS 172.31.114.227/32 === 0.0.0.0/0
May 9 00:42:42 uxcasxxx pluto[4608]: |
May 9 00:42:42 uxcasxxx pluto[4608]: | *received 76 bytes from
172.31.114.211:500 on eth0
May 9 00:42:42 uxcasxxx pluto[4608]: | 4f 8e 1c 6f 03 97 b8 91 29 53
9d 90 9e 9e 93 2c
May 9 00:42:42 uxcasxxx pluto[4608]: | 2e 20 25 08 00 00 00 01 00 00
00 4c 2a 00 00 30
May 9 00:42:42 uxcasxxx pluto[4608]: | 53 58 ed 96 c4 69 2b db 27 43
a8 2f 19 61 e7 a0
May 9 00:42:42 uxcasxxx pluto[4608]: | 83 e8 2e 8f e4 24 05 3b ef bb
28 f7 95 a1 8b 13
May 9 00:42:42 uxcasxxx pluto[4608]: | e9 7f 85 d4 c7 52 38 5c 17 bc
18 f9
May 9 00:42:42 uxcasxxx pluto[4608]: | ignoring IKEv2 packet
May 9 00:42:42 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
3551 seconds
May 9 00:42:42 uxcasxxx pluto[4608]: |
May 9 00:42:42 uxcasxxx pluto[4608]: | *received 76 bytes from
172.31.114.211:500 on eth0
May 9 00:42:42 uxcasxxx pluto[4608]: | 4f 8e 1c 6f 03 97 b8 91 29 53
9d 90 9e 9e 93 2c
May 9 00:42:42 uxcasxxx pluto[4608]: | 2e 20 23 28 00 00 00 01 00 00
00 4c 29 00 00 30
May 9 00:42:42 uxcasxxx pluto[4608]: | 83 e8 2e 8f e4 24 05 3b ef bb
28 f7 95 a1 8b 13
May 9 00:42:42 uxcasxxx pluto[4608]: | 55 33 20 fe 72 3d 17 cb d7 85
66 c3 0c fd 61 5f
May 9 00:42:42 uxcasxxx pluto[4608]: | 3d 2c b0 cb 0a 53 71 1c 8a d1
e7 e3
May 9 00:42:42 uxcasxxx pluto[4608]: | ignoring IKEv2 packet
May 9 00:42:42 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
3551 seconds
--
Regards,
Anonymous cross.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120509/97bb118b/attachment.html>
More information about the Users
mailing list