[strongSwan] SAD and SPD are not deleted properly on getting delete payload from Peer for Ikev2

Anonymous cross anonymouscross at gmail.com
Wed May 9 09:15:48 CEST 2012


Hi all,
      I found the root cause of the problem. When we stop IPSec service in
Cisco, its sending Informational exchange with delete payload and message
ID as 1. Strongswan is considering it as a AUTH message and replying with
AUTH response.

I tested the same scenario with Strongswan, but strongswan is sending
Informational exchange with delete payload and message ID as 2.

I want to understand the significance of Message ID here. Please share your
ideas on this.

Regards,
Cross

On Wed, May 9, 2012 at 12:09 PM, Anonymous cross
<anonymouscross at gmail.com>wrote:

> Hi all,
>    A small correction in the below conf.
> keyexchange=ikev2
> For IKEv1 its working fine.
>
> Regards,
> Cross
>
>
> On Wed, May 9, 2012 at 1:11 AM, Anonymous cross <anonymouscross at gmail.com>wrote:
>
>> Hi Friends,
>>    We formed a site-site IPSec tunnel between Cisco and Strongswan using
>> IKEv2
>>
>> Router1(Ciso) ------------- Router2(Strongswan)
>>
>> I stopped IPsec service in Cisco and its sending delete payload to
>> Strongswan. But Strongswan is  not deleting the SAD and SPD properly, it
>> lingers in Kernel.  Please help me out on this.
>> Please find the configurations and logs below
>>
>> ipsec.conf
>> ___________
>> config setup
>>           plutostart=yes
>>           plutodebug=all
>>           charonstart=yes
>>           charondebug=all
>>           nat_traversal=yes
>>           crlcheckinterval=10m
>>           strictcrlpolicy=no
>>
>> conn %default
>>         ikelifetime=15m
>>         keylife=2m
>>         keyingtries=1
>>
>> conn fqdn_vr
>>     type=tunnel
>>     keyexchange=ikev1
>>     left=172.31.114.227
>>     right=%any
>>     rightsubnet=0.0.0.0/0
>>     rightid=divya at cas.com
>>     auth=esp
>>     authby=secret
>>     pfs=no
>>     rekey=no
>>     auto=add
>>
>> *Logs*
>> ++++++
>> */var/log/messages*
>> ___________
>> May  9 00:41:53 uxcasxxx charon: 12[CFG] received stroke: add connection
>> 'fqdn_vr'
>> May  9 00:41:53 uxcasxxx charon: 12[CFG] added configuration 'fqdn_vr'
>> May  9 00:42:10 uxcasxxx charon: 15[NET] received packet: from
>> 172.31.114.211[500] to 172.31.114.227[500]
>> May  9 00:42:10 uxcasxxx charon: 15[ENC] parsed IKE_SA_INIT request 0 [
>> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> May  9 00:42:10 uxcasxxx charon: 15[IKE] 172.31.114.211 is initiating an
>> IKE_SA
>> May  9 00:42:10 uxcasxxx charon: 15[IKE] sending cert request for "C=CH,
>> O=strongSwan, CN=strongSwan CA"
>> May  9 00:42:10 uxcasxxx charon: 15[ENC] generating IKE_SA_INIT response
>> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>> May  9 00:42:10 uxcasxxx charon: 15[NET] sending packet: from
>> 172.31.114.227[500] to 172.31.114.211[500]
>> May  9 00:42:10 uxcasxxx charon: 07[NET] received packet: from
>> 172.31.114.211[500] to 172.31.114.227[500]
>> May  9 00:42:10 uxcasxxx charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi
>> AUTH SA TSi TSr ]
>> May  9 00:42:10 uxcasxxx charon: 07[CFG] looking for peer configs
>> matching 172.31.114.227[%any]...172.31.114.211[divya at cas.com]
>> May  9 00:42:10 uxcasxxx charon: 07[CFG] selected peer config 'fqdn_vr'
>> May  9 00:42:10 uxcasxxx charon: 07[IKE] authentication of 'divya at cas.com'
>> with pre-shared key successful
>> May  9 00:42:10 uxcasxxx charon: 07[IKE] authentication of
>> '172.31.114.227' (myself) with pre-shared key
>> May  9 00:42:10 uxcasxxx charon: 07[IKE] IKE_SA fqdn_vr[1] established
>> between 172.31.114.227[172.31.114.227]...172.31.114.211[divya at cas.com]
>> May  9 00:42:10 uxcasxxx charon: 07[IKE] CHILD_SA fqdn_vr{1} established
>> with SPIs c307376c_i 7ac0291f_o and TS 172.31.114.227/32 === 0.0.0.0/0
>> May  9 00:42:10 uxcasxxx charon: 07[ENC] generating IKE_AUTH response 1 [
>> IDr AUTH SA TSi TSr ]
>> May  9 00:42:10 uxcasxxx charon: 07[NET] sending packet: from
>> 172.31.114.227[500] to 172.31.114.211[500]
>> May  9 00:42:42 uxcasxxx charon: 08[NET] received packet: from
>> 172.31.114.211[500] to 172.31.114.227[500]
>> May  9 00:42:42 uxcasxxx charon: 08[ENC] parsed INFORMATIONAL request 1 [
>> D ]
>> May  9 00:42:42 uxcasxxx charon: 08[IKE] received retransmit of request
>> with ID 1, retransmitting response
>> May  9 00:42:42 uxcasxxx charon: 08[NET] sending packet: from
>> 172.31.114.227[500] to 172.31.114.211[500]
>> May  9 00:42:42 uxcasxxx charon: 10[NET] received packet: from
>> 172.31.114.211[500] to 172.31.114.227[500]
>> May  9 00:42:42 uxcasxxx charon: 10[ENC] parsed IKE_AUTH response 1 [
>> N(TS_UNACCEPT) ]
>> May  9 00:42:42 uxcasxxx charon: 10[IKE] received message ID 1, expected
>> 0. Ignored
>> *
>> /var/log/secure
>> __________*
>> May  9 00:41:53 uxcasxxx pluto[4608]: certificate is invalid (valid from
>> Mar 28 19:21:50 2012 to Apr 27 19:21:50 2012)
>> May  9 00:41:53 uxcasxxx pluto[4608]: added connection description
>> "cisco-vpn"
>> May  9 00:41:53 uxcasxxx pluto[4608]: | 0.0.0.0/0===172.31.114.227[C=CH<http://0.0.0.0/0===172.31.114.227%5BC=CH>,
>> O=strongSwan, CN=strongswan]...%any[C=CH, O=strongSwan, CN=*]===%addrpool
>> May  9 00:41:53 uxcasxxx pluto[4608]: | ike_life: 900s; ipsec_life: 120s;
>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy:
>> ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER
>> May  9 00:41:53 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
>> 3600 seconds
>> May  9 00:41:53 uxcasxxx pluto[4608]: |
>> May  9 00:41:53 uxcasxxx pluto[4608]: | *received whack message
>> May  9 00:41:53 uxcasxxx pluto[4608]: | from whack: got
>> --esp=aes128-sha1,3des-sha1
>> May  9 00:41:53 uxcasxxx pluto[4608]: | esp alg added:
>> AES_CBC_128/HMAC_SHA1, cnt=1
>> May  9 00:41:53 uxcasxxx pluto[4608]: | esp alg added:
>> 3DES_CBC_0/HMAC_SHA1, cnt=2
>> May  9 00:41:53 uxcasxxx pluto[4608]: | esp proposal:
>> AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1,
>> May  9 00:41:53 uxcasxxx pluto[4608]: | from whack: got
>> --ike=aes128-sha1-modp2048,3des-sha1-modp1536
>> May  9 00:41:53 uxcasxxx pluto[4608]: | ikg alg added:
>> AES_CBC_128/HMAC_SHA1/MODP_2048, cnt=1
>> May  9 00:41:53 uxcasxxx pluto[4608]: | ikg alg added:
>> 3DES_CBC_0/HMAC_SHA1/MODP_1536, cnt=2
>> May  9 00:41:53 uxcasxxx pluto[4608]: | ike proposal:
>> AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
>> May  9 00:41:53 uxcasxxx pluto[4608]: added connection description
>> "fqdn_vr"
>> May  9 00:41:53 uxcasxxx pluto[4608]: |
>> 172.31.114.227[172.31.114.227]...%any[divya at cas.com]===0.0.0.0/0
>> May  9 00:41:53 uxcasxxx pluto[4608]: | ike_life: 900s; ipsec_life: 120s;
>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy:
>> PSK+ENCRYPT+TUNNEL+DONTREKEY
>> May  9 00:42:10 uxcasxxx charon: 15[IKE] 172.31.114.211 is initiating an
>> IKE_SA
>> May  9 00:42:10 uxcasxxx pluto[4608]: |   ignoring IKEv2 packet
>> May  9 00:42:10 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
>> 3583 seconds
>> May  9 00:42:10 uxcasxxx pluto[4608]: |  ignoring IKEv2 packet
>> May  9 00:42:10 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
>> 3583 seconds
>> May  9 00:42:10 uxcasxxx charon: 07[IKE] IKE_SA fqdn_vr[1] established
>> between 172.31.114.227[172.31.114.227]...172.31.114.211[divya at cas.com]
>> May  9 00:42:10 uxcasxxx charon: 07[IKE] CHILD_SA fqdn_vr{1} established
>> with SPIs c307376c_i 7ac0291f_o and TS 172.31.114.227/32 === 0.0.0.0/0
>> May  9 00:42:42 uxcasxxx pluto[4608]: |
>> May  9 00:42:42 uxcasxxx pluto[4608]: | *received 76 bytes from
>> 172.31.114.211:500 on eth0
>> May  9 00:42:42 uxcasxxx pluto[4608]: |   4f 8e 1c 6f  03 97 b8 91  29 53
>> 9d 90  9e 9e 93 2c
>> May  9 00:42:42 uxcasxxx pluto[4608]: |   2e 20 25 08  00 00 00 01  00 00
>> 00 4c  2a 00 00 30
>> May  9 00:42:42 uxcasxxx pluto[4608]: |   53 58 ed 96  c4 69 2b db  27 43
>> a8 2f  19 61 e7 a0
>> May  9 00:42:42 uxcasxxx pluto[4608]: |   83 e8 2e 8f  e4 24 05 3b  ef bb
>> 28 f7  95 a1 8b 13
>> May  9 00:42:42 uxcasxxx pluto[4608]: |   e9 7f 85 d4  c7 52 38 5c  17 bc
>> 18 f9
>> May  9 00:42:42 uxcasxxx pluto[4608]: |   ignoring IKEv2 packet
>> May  9 00:42:42 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
>> 3551 seconds
>> May  9 00:42:42 uxcasxxx pluto[4608]: |
>> May  9 00:42:42 uxcasxxx pluto[4608]: | *received 76 bytes from
>> 172.31.114.211:500 on eth0
>> May  9 00:42:42 uxcasxxx pluto[4608]: |   4f 8e 1c 6f  03 97 b8 91  29 53
>> 9d 90  9e 9e 93 2c
>> May  9 00:42:42 uxcasxxx pluto[4608]: |   2e 20 23 28  00 00 00 01  00 00
>> 00 4c  29 00 00 30
>> May  9 00:42:42 uxcasxxx pluto[4608]: |   83 e8 2e 8f  e4 24 05 3b  ef bb
>> 28 f7  95 a1 8b 13
>> May  9 00:42:42 uxcasxxx pluto[4608]: |   55 33 20 fe  72 3d 17 cb  d7 85
>> 66 c3  0c fd 61 5f
>> May  9 00:42:42 uxcasxxx pluto[4608]: |   3d 2c b0 cb  0a 53 71 1c  8a d1
>> e7 e3
>> May  9 00:42:42 uxcasxxx pluto[4608]: |   ignoring IKEv2 packet
>> May  9 00:42:42 uxcasxxx pluto[4608]: | next event EVENT_REINIT_SECRET in
>> 3551 seconds
>>
>>
>> --
>> Regards,
>> Anonymous cross.
>>
>
>
>
> --
> Regards,
> Anonymous cross.
>



-- 
Regards,
Anonymous cross.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120509/61f76f9d/attachment.html>


More information about the Users mailing list