[strongSwan] SCTP Packet loss after re-keying

Joern Mewes joern.mewes at gmx.net
Thu May 31 12:38:11 CEST 2012 

Hello,

We are facing a problem after upgrading our VPN simulators from Ubuntu 9.10
(Stronswan 4.4.1) to Ubuntu 12.04 (Strongswan 4.5.2) and are not sure if 
the problem is related to Strongswan or to the Linux kernel. Thus, we 
would really appreciate if someone could guide us into the right direction. 

The VPN as such is coming up without problems and traffic (SCTP and ICMP) 
is running fine. But after P2-Rekeying we noticed that the SCTP packets 
get lost at some point. We analyzed the problem more in detail and found
out that after establishing the new P2-SA the ICMP packets are using this
SA immediately while the SCTP packets are still using the old SA. 
At some point the old SA will be deleted and from this point of time the 
SCTP packets will not get forwarded to the VPN anymore.

Please find a pcap-file showing the problem attached to this email. I 
changed the encryption algorithm that the pcap file can be decoded in 
Wireshark.

192.168.31.21: Interface on the Ubuntu system terminating the VPN tunnel
192.168.30.63: IKE interface of the Peer (Juniper SRX)
10.21.11.1: Source-IP for inner tunnel traffic going from Ubuntu to VPN peer
10.22.11.1. Source-IP for inner tunnel traffic going from VPN peer t Ubuntu
 
Packets 1-9 are showing the successful negotiation of both P1 and P2. 
After that traffic starts flowing in both directions. 
SPIs are 0x318dc5cc and 0xce713df8
Packets 288-290 are showing the negotiation of a new P2 (new SPIs are 
0x3118ef04 and 0xc77f117d). I see that the ICMP packets going from 
10.21.11.1 (starting from packet 291) to 10.22.11.1 are using the 
new SA immediately. 
But I also see that the sctp packets from 10.21.11.1 to 10.22.11.1 
(294,297...) are still using the old SA. At packet 571 the SRX is 
sending a QM-delete message to clear 0x318dc5cc and at this time all 
further SCTP packets from 10.21.11.1 to 10.22.11.1 are getting lost while 
icmp is still running fine. 

Do you have an explanation why only icmp traffic is using the new SA? And 
is this a correct behavior? And in case it is a problem is it either 
related to Strongswan or to the Linux kernel? 

The Pluto log as well as the ipsec.conf are also attached to this email.
If you need further information just let me know.

Thank you for your help and have a nice day.

Joern
                                                                       
-- 
NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone!                                  
Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trace.zip
Type: application/x-zip-compressed
Size: 30049 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120531/e2d9139a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pluto.log
Type: application/octet-stream
Size: 10767 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120531/e2d9139a/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.conf
Type: application/octet-stream
Size: 1114 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120531/e2d9139a/attachment-0001.obj>

More information about the Users mailing list