[strongSwan] Problem with acquire job and established SA??
A. Valentin
avalentin at marcant.net
Fri Apr 12 09:39:20 CEST 2013
Hi !
I just got a problem after upgrade to 5.0.3:
The problem seems to be trap handling, here is the corresponding line:
Apr 12 08:15:57 rossini charon: 10[NET] sending packet: from XX.XX.XX.XX[500] to YY.YY.YY.YY[500] (92 bytes)
Apr 12 08:16:25 rossini charon: 01[KNL] creating acquire job for policy 192.168.191.21/32[tcp/http] === 192.168.200.2/32[tcp/49212] with reqid {1}
Apr 12 08:16:25 rossini charon: 11[CFG] trap not found, unable to acquire reqid 1
My colleague restarted the service after that, just for your knowledge:
Apr 12 08:17:43 rossini charon: 00[DMN] signal of type SIGINT received. Shutting down
Here are the CHID_SA messages corresponding to this connection
Apr 12 07:54:16 rossini charon: 15[IKE] CHILD_SA rw-client{1} established with SPIs c3fa2b5f_i c6f09180_o and TS 0.0.0.0/0 === 192.168.200.0/24
Apr 12 07:55:34 rossini charon: 01[KNL] creating rekey job for ESP CHILD_SA with SPI 8b62d81f and reqid {1}
Apr 12 07:59:06 rossini charon: 01[KNL] creating delete job for ESP CHILD_SA with SPI cbc0646b and reqid {1}
Apr 12 07:59:06 rossini charon: 01[KNL] creating delete job for ESP CHILD_SA with SPI 8b62d81f and reqid {1}
Apr 12 07:59:06 rossini charon: 08[IKE] closing expired CHILD_SA rw-client{1} with SPIs cbc0646b_i 8b62d81f_o and TS 0.0.0.0/0 === 192.168.200.0/24
Apr 12 07:59:06 rossini charon: 08[IKE] sending DELETE for ESP CHILD_SA with SPI cbc0646b
Apr 12 08:08:32 rossini charon: 01[KNL] creating rekey job for ESP CHILD_SA with SPI c6f09180 and reqid {1}
Apr 12 08:08:33 rossini charon: 10[IKE] CHILD_SA rw-client{1} established with SPIs cca8edf9_i 316275d5_o and TS 0.0.0.0/0 === 192.168.200.0/24
Apr 12 08:09:32 rossini charon: 01[KNL] creating rekey job for ESP CHILD_SA with SPI c3fa2b5f and reqid {1}
Apr 12 08:14:16 rossini charon: 01[KNL] creating delete job for ESP CHILD_SA with SPI c6f09180 and reqid {1}
Apr 12 08:14:16 rossini charon: 01[KNL] creating delete job for ESP CHILD_SA with SPI c3fa2b5f and reqid {1}
Apr 12 08:14:16 rossini charon: 12[IKE] closing expired CHILD_SA rw-client{1} with SPIs c3fa2b5f_i c6f09180_o and TS 0.0.0.0/0 === 192.168.200.0/24
Apr 12 08:14:16 rossini charon: 12[IKE] sending DELETE for ESP CHILD_SA with SPI c3fa2b5f
Apr 12 08:17:43 rossini charon: 00[IKE] closing CHILD_SA rw-client{1} with SPIs cca8edf9_i (94258 bytes) 316275d5_o (857068 bytes) and TS 0.0.0.0/0 === 192.168.200.0/24
Apr 12 08:17:43 rossini charon: 00[IKE] sending DELETE for ESP CHILD_SA with SPI cca8edf9
I think there was an active CHILD_SA, so why did the upper acquire job not work ?
Apr 12 08:08:33 rossini charon: 10[IKE] CHILD_SA rw-client{1} established with SPIs cca8edf9_i 316275d5_o and TS 0.0.0.0/0 === 192.168.200.0/24
Apr 12 08:17:43 rossini charon: 00[IKE] closing CHILD_SA rw-client{1} with SPIs cca8edf9_i (94258 bytes) 316275d5_o (857068 bytes) and TS 0.0.0.0/0 === 192.168.200.0/24
Apr 12 08:17:43 rossini charon: 00[IKE] sending DELETE for ESP CHILD_SA with SPI cca8edf9
Strongswan also thought it was up (I think this was generated just after the acquire entry above)
Security Associations (1 up, 0 connecting):
rw-client[41]: ESTABLISHED 6 minutes ago, XX.XX.XX.XX[ipsec-server.tld]...YY.YY.YY.YY[client-fqdn]
rw-client{1}: INSTALLED, TUNNEL, ESP SPIs: cca8edf9_i 316275d5_o
rw-client{1}: 0.0.0.0/0 === 192.168.200.0/24
Here is my config:
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
conn fritz-base
left=XX.XX.XX.XX
leftsubnet=0.0.0.0/0
leftid=@ipsec-server.tld
rightallowany=yes
esp=aes256-sha1-modp1024
aggressive=yes
authby=secret
conn rw-client
also=fritz-base
#right=client-fqdn
right=%any
rightid=@client-fqdn
rightsubnet=192.168.200.0/24
auto=start
So my general question is: Why does an acquire job throw an error if the SA is already established ?
Explanation:
xx.xx.xx.xx: Server IP [rossini]
yy.yy.yy.yy: Client IP
Kind regards,
André
More information about the Users
mailing list