[strongSwan] SAD and SPD are not deleted properly on getting delete payload from Peer for Ikev2
Anonymous cross
anonymouscross at gmail.com
Wed May 9 08:39:42 CEST 2012
Hi all,
A small correction in the below conf.
keyexchange=ikev2
For IKEv1 its working fine.
Regards,
Cross
On Wed, May 9, 2012 at 1:11 AM, Anonymous cross <anonymouscross at gmail.com>wrote:
> Hi Friends,
> We formed a site-site IPSec tunnel between Cisco and Strongswan using
> IKEv2
>
> Router1(Ciso) ------------- Router2(Strongswan)
>
> I stopped IPsec service in Cisco and its sending delete payload to
> Strongswan. But Strongswan is not deleting the SAD and SPD properly, it
> lingers in Kernel. Please help me out on this.
> Please find the configurations and logs below
>
> ipsec.conf
> ___________
> config setup
> plutostart=yes
> plutodebug=all
> charonstart=yes
> charondebug=all
> nat_traversal=yes
> crlcheckinterval=10m
> strictcrlpolicy=no
>
> conn %default
> ikelifetime=15m
> keylife=2m
> keyingtries=1
>
> conn fqdn_vr
> type=tunnel
> keyexchange=ikev1
> left=172.31.114.227
> right=%any
> rightsubnet=0.0.0.0/0
> rightid=divya at cas.com
> auth=esp
> authby=secret
> pfs=no
> rekey=no
> auto=add
>
> *Logs*
> ++++++
> */var/log/messages*
> ___________
> May 9 00:41:53 uxcasxxx charon: 12[CFG] received stroke: add connection
> 'fqdn_vr'
> May 9 00:41:53 uxcasxxx charon: 12[CFG] added configuration 'fqdn_vr'
> May 9 00:42:10 uxcasxxx charon: 15[NET] received packet: from
> 172.31.114.211[500] to 172.31.114.227[500]
> May 9 00:42:10 uxcasxxx charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) ]
> May 9 00:42:10 uxcasxxx charon: 15[IKE] 172.31.114.211 is initiating an
> IKE_SA
> May 9 00:42:10 uxcasxxx charon: 15[IKE] sending cert request for "C=CH,
> O=strongSwan, CN=strongSwan CA"
> May 9 00:42:10 uxcasxxx charon: 15[ENC] generating IKE_SA_INIT response 0
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> May 9 00:42:10 uxcasxxx charon: 15[NET] sending packet: from
> 172.31.114.227[500] to 172.31.114.211[500]
> May 9 00:42:10 uxcasxxx charon: 07[NET] received packet: from
> 172.31.114.211[500] to 172.31.114.227[500]
> May 9 00:42:10 uxcasxxx charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi
> AUTH SA TSi TSr ]
> May 9 00:42:10 uxcasxxx charon: 07[CFG] looking for peer configs matching
> 172.31.114.227[%any]...172.31.114.211[divya at cas.com]
> May 9 00:42:10 uxcasxxx charon: 07[CFG] selected peer config 'fqdn_vr'
> May 9 00:42:10 uxcasxxx charon: 07[IKE] authentication of 'divya at cas.com'
> with pre-shared key successful
> May 9 00:42:10 uxcasxxx charon: 07[IKE] authentication of
> '172.31.114.227' (myself) with pre-shared key
> May 9 00:42:10 uxcasxxx charon: 07[IKE] IKE_SA fqdn_vr[1] established
> between 172.31.114.227[172.31.114.227]...172.31.114.211[divya at cas.com]
> May 9 00:42:10 uxcasxxx charon: 07[IKE] CHILD_SA fqdn_vr{1} established
> with SPIs c307376c_i 7ac0291f_o and TS 172.31.114.227/32 === 0.0.0.0/0
> May 9 00:42:10 uxcasxxx charon: 07[ENC] generating IKE_AUTH response 1 [
> IDr AUTH SA TSi TSr ]
> May 9 00:42:10 uxcasxxx charon: 07[NET] sending packet: from
> 172.31.114.227[500] to 172.31.114.211[500]
> May 9 00:42:42 uxcasxxx charon: 08[NET] received packet: from
> 172.31.114.211[500] to 172.31.114.227[500]
> May 9 00:42:42 uxcasxxx charon: 08[ENC] parsed INFORMATIONAL request 1 [
> D ]
> May 9 00:42:42 uxcasxxx charon: 08[IKE] received retransmit of request
> with ID 1, retransmitting response
> May 9 00:42:42 uxcasxxx charon: 08[NET] sending packet: from
> 172.31.114.227[500] to 172.31.114.211[500]
> May 9 00:42:42 uxcasxxx charon: 10[NET] received packet: from
> 172.31.114.211[500] to 172.31.114.227[500]
> May 9 00:42:42 uxcasxxx charon: 10[ENC] parsed IKE_AUTH response 1 [
> N(TS_UNACCEPT) ]
> May 9 00:42:42 uxcasxxx charon: 10[IKE] received message ID 1, expected
> 0. Ignored
> *
> /var/log/secure
> __________*
> May 9 00:41:53 uxcasxxx pluto[4608]: certificate is invalid (valid from
> Mar 28 19:21:50 2012 to Apr 27 19:21:50 2012)
> May 9 00:41:53 uxcasxxx pluto[4608]: added connection description
> "cisco-vpn"
> May 9 00:41:53 uxcasxxx pluto[4608]: | 0.0.0.0/0===172.31.114.227[C=CH<http://0.0.0.0/0===172.31.114.227%5BC=CH>,
> O=strongSwan, CN=strongswan]...%any[C=CH, O=strongSwan, CN=*]===%addrpool
> May 9 00:41:53 uxcasxxx pluto[4608]: | ike_life: 900s; ipsec_life: 120s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy:
> ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER
> May 9 00:41:53 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
> 3600 seconds
> May 9 00:41:53 uxcasxxx pluto[4608]: |
> May 9 00:41:53 uxcasxxx pluto[4608]: | *received whack message
> May 9 00:41:53 uxcasxxx pluto[4608]: | from whack: got
> --esp=aes128-sha1,3des-sha1
> May 9 00:41:53 uxcasxxx pluto[4608]: | esp alg added:
> AES_CBC_128/HMAC_SHA1, cnt=1
> May 9 00:41:53 uxcasxxx pluto[4608]: | esp alg added:
> 3DES_CBC_0/HMAC_SHA1, cnt=2
> May 9 00:41:53 uxcasxxx pluto[4608]: | esp proposal:
> AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1,
> May 9 00:41:53 uxcasxxx pluto[4608]: | from whack: got
> --ike=aes128-sha1-modp2048,3des-sha1-modp1536
> May 9 00:41:53 uxcasxxx pluto[4608]: | ikg alg added:
> AES_CBC_128/HMAC_SHA1/MODP_2048, cnt=1
> May 9 00:41:53 uxcasxxx pluto[4608]: | ikg alg added:
> 3DES_CBC_0/HMAC_SHA1/MODP_1536, cnt=2
> May 9 00:41:53 uxcasxxx pluto[4608]: | ike proposal:
> AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
> May 9 00:41:53 uxcasxxx pluto[4608]: added connection description
> "fqdn_vr"
> May 9 00:41:53 uxcasxxx pluto[4608]: |
> 172.31.114.227[172.31.114.227]...%any[divya at cas.com]===0.0.0.0/0
> May 9 00:41:53 uxcasxxx pluto[4608]: | ike_life: 900s; ipsec_life: 120s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy:
> PSK+ENCRYPT+TUNNEL+DONTREKEY
> May 9 00:42:10 uxcasxxx charon: 15[IKE] 172.31.114.211 is initiating an
> IKE_SA
> May 9 00:42:10 uxcasxxx pluto[4608]: | ignoring IKEv2 packet
> May 9 00:42:10 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
> 3583 seconds
> May 9 00:42:10 uxcasxxx pluto[4608]: | ignoring IKEv2 packet
> May 9 00:42:10 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
> 3583 seconds
> May 9 00:42:10 uxcasxxx charon: 07[IKE] IKE_SA fqdn_vr[1] established
> between 172.31.114.227[172.31.114.227]...172.31.114.211[divya at cas.com]
> May 9 00:42:10 uxcasxxx charon: 07[IKE] CHILD_SA fqdn_vr{1} established
> with SPIs c307376c_i 7ac0291f_o and TS 172.31.114.227/32 === 0.0.0.0/0
> May 9 00:42:42 uxcasxxx pluto[4608]: |
> May 9 00:42:42 uxcasxxx pluto[4608]: | *received 76 bytes from
> 172.31.114.211:500 on eth0
> May 9 00:42:42 uxcasxxx pluto[4608]: | 4f 8e 1c 6f 03 97 b8 91 29 53
> 9d 90 9e 9e 93 2c
> May 9 00:42:42 uxcasxxx pluto[4608]: | 2e 20 25 08 00 00 00 01 00 00
> 00 4c 2a 00 00 30
> May 9 00:42:42 uxcasxxx pluto[4608]: | 53 58 ed 96 c4 69 2b db 27 43
> a8 2f 19 61 e7 a0
> May 9 00:42:42 uxcasxxx pluto[4608]: | 83 e8 2e 8f e4 24 05 3b ef bb
> 28 f7 95 a1 8b 13
> May 9 00:42:42 uxcasxxx pluto[4608]: | e9 7f 85 d4 c7 52 38 5c 17 bc
> 18 f9
> May 9 00:42:42 uxcasxxx pluto[4608]: | ignoring IKEv2 packet
> May 9 00:42:42 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
> 3551 seconds
> May 9 00:42:42 uxcasxxx pluto[4608]: |
> May 9 00:42:42 uxcasxxx pluto[4608]: | *received 76 bytes from
> 172.31.114.211:500 on eth0
> May 9 00:42:42 uxcasxxx pluto[4608]: | 4f 8e 1c 6f 03 97 b8 91 29 53
> 9d 90 9e 9e 93 2c
> May 9 00:42:42 uxcasxxx pluto[4608]: | 2e 20 23 28 00 00 00 01 00 00
> 00 4c 29 00 00 30
> May 9 00:42:42 uxcasxxx pluto[4608]: | 83 e8 2e 8f e4 24 05 3b ef bb
> 28 f7 95 a1 8b 13
> May 9 00:42:42 uxcasxxx pluto[4608]: | 55 33 20 fe 72 3d 17 cb d7 85
> 66 c3 0c fd 61 5f
> May 9 00:42:42 uxcasxxx pluto[4608]: | 3d 2c b0 cb 0a 53 71 1c 8a d1
> e7 e3
> May 9 00:42:42 uxcasxxx pluto[4608]: | ignoring IKEv2 packet
> May 9 00:42:42 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
> 3551 seconds
>
>
> --
> Regards,
> Anonymous cross.
>
--
Regards,
Anonymous cross.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120509/efbd5ebb/attachment.html>
More information about the Users
mailing list