[strongSwan] Rekeying fails
John A. Sullivan III
jsullivan at opensourcedevel.com
Tue Jul 2 03:55:18 CEST 2013
Hello, all. Any takers on this one? I've collected tons of logs but
nothing is giving me an idea of where to look. Thanks - John
On Fri, 2013-06-28 at 19:32 -0400, John A. Sullivan III wrote:
> On Thu, 2013-06-27 at 05:33 -0400, John A. Sullivan III wrote:
> > On Thu, 2013-06-27 at 04:36 -0400, John A. Sullivan III wrote:
> > > Hello, all. I am using Linux strongSwan U4.5.2/K3.2.0-23-generic on
> > > Ubuntu 12.04 to protect GRE tunnels containing OSPF among other things
> > > using transport mode with certificates. There are two bare metal
> > > instances running from our data centers and two EC2 instances in
> > > Amazon's cloud (which must use nat traversal). It makes no difference
> > > in that all the sessions fail to rekey - data center to data center and
> > > data center to cloud. The connections are successfully established when
> > > ipsec starts but simply fail to rekey.
> > >
> > > I can see the rekey attempts but they fail:
> > >
> > > Jun 26 12:30:35 gw8-2 charon: 10[IKE] queueing IKE_REAUTH task
> > > Jun 26 12:30:35 gw8-2 charon: 10[IKE] activating new tasks
> > > Jun 26 12:30:35 gw8-2 charon: 10[IKE] activating IKE_REAUTH task
> > > Jun 26 12:30:35 gw8-2 charon: 10[IKE] deleting IKE_SA gw16-32[2] between x.x.219.226[CN=datacentergw, OU=VPN, DC=mycompany, DC=com]...y.y.140.68[CN=cloudgw, OU=VPN, DC=mycompany . .
> > > Jun 26 12:30:35 gw8-2 charon: 10[IKE] IKE_SA gw16-32[2] state change: ESTABLISHED => DELETING
> > > Jun 26 12:30:35 gw8-2 charon: 10[IKE] sending DELETE for IKE_SA gw16-32[2]
> > > Jun 26 12:30:35 gw8-2 charon: 10[ENC] generating INFORMATIONAL request 1122 [ D ]
> > > Jun 26 12:30:35 gw8-2 charon: 10[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
> > > Jun 26 12:30:35 gw8-2 charon: 12[NET] received packet: from y.y.140.68[4500] to x.x.219.226[4500]
> > > Jun 26 12:30:35 gw8-2 charon: 12[ENC] parsed INFORMATIONAL response 1122 [ ]
> > > Jun 26 12:30:35 gw8-2 charon: 12[IKE] IKE_SA deleted
> > > Jun 26 12:30:35 gw8-2 charon: 12[IKE] unable to reauthenticate IKE_SA, no CHILD_SA to recreate
> > > Jun 26 12:30:35 gw8-2 charon: 12[IKE] IKE_SA gw16-32[2] state change: DELETING => DESTROYING
> > >
> > > I've tried disabling mobike. I've tried setting dpdaction=restart and
> > > hold. I've tried setting reauth=no.
> > >
> > > Here is a typical configuration:
> > > config setup
> > > plutodebug=all
> > > charondebug="ike 4"
> > > nat_traversal=yes
> > > charonstart=yes
> > > plutostart=yes
> > >
> > > conn %default
> > > left=x.x.219.226 # Do NOT use %default route as that may change with OSPF
> > > leftrsasigkey=%cert
> > > leftcert=cert1.pem
> > > leftid="CN=datacentergw,OU=VPN,DC=mycompany,DC=com"
> > > keyingtries=20
> > > authby=rsasig
> > > rightrsasigkey=%cert
> > > keylife=60m
> > > rekeymargin=5m
> > > ikelifetime=3h
> > > reauth=no
> > > mobike=no
> > > auto=ignore
> > >
> > >
> > > include /etc/ipsec.d/remotenets/*.conf
> > >
> > >
> > > conn gw16-48
> > > right=y.y.137.197
> > > rightid="CN=cloudgw,OU=VPN,DC=mycompany,DC=com"
> > > also=gre
> > > auto=start
> > >
> > > conn gre
> > > type=transport
> > > leftprotoport=47
> > > rightprotoport=47
> > > dpddelay=9
> > > dpdtimeout=30
> > > #dpdaction=restart
> > > compress=yes
> > >
> > > What am I doing wrong? Thanks - John
> > >
> > <snip>
> >
> > Here is an example of a data center to data center (no nat-t) failure:
> >
> > Jun 27 05:20:29 gw8-2 charon: 15[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
> > Jun 27 05:20:29 gw8-2 charon: 15[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
> > Jun 27 05:20:29 gw8-2 charon: 15[IKE] received IPCOMP_SUPPORTED notify but IPComp is disabled, ignoring
> > Jun 27 05:20:29 gw8-2 charon: 15[IKE] CHILD_SA gwhq{1} established with SPIs c4dd72af_i cb5ce504_o and TS x.x.219.226/32[gre] === y.y.118.3/32[gre]
> > Jun 27 05:20:29 gw8-2 charon: 15[ENC] generating CREATE_CHILD_SA response 0 [ N(USE_TRANSP) SA No TSi TSr ]
> > Jun 27 05:20:29 gw8-2 charon: 15[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> > Jun 27 05:20:33 gw8-2 charon: 09[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
> > Jun 27 05:20:33 gw8-2 charon: 09[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
> > Jun 27 05:20:33 gw8-2 charon: 09[IKE] received retransmit of request with ID 0, retransmitting response
> > Jun 27 05:20:33 gw8-2 charon: 09[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> > Jun 27 05:20:40 gw8-2 charon: 04[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
> > Jun 27 05:20:40 gw8-2 charon: 04[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
> > Jun 27 05:20:40 gw8-2 charon: 04[IKE] received retransmit of request with ID 0, retransmitting response
> > Jun 27 05:20:40 gw8-2 charon: 04[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> > Jun 27 05:20:53 gw8-2 charon: 12[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
> > Jun 27 05:20:53 gw8-2 charon: 12[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
> > Jun 27 05:20:53 gw8-2 charon: 12[IKE] received retransmit of request with ID 0, retransmitting response
> > Jun 27 05:20:53 gw8-2 charon: 12[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> > Jun 27 05:21:02 gw8-2 charon: 10[IKE] keeping connection path x.x.219.226 - y.y.118.3
> > Jun 27 05:21:16 gw8-2 charon: 13[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
> > Jun 27 05:21:16 gw8-2 charon: 13[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
> > Jun 27 05:21:16 gw8-2 charon: 13[IKE] received retransmit of request with ID 0, retransmitting response
> > Jun 27 05:21:16 gw8-2 charon: 13[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> > Jun 27 05:21:58 gw8-2 charon: 11[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
> > Jun 27 05:21:58 gw8-2 charon: 11[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
> > Jun 27 05:21:58 gw8-2 charon: 11[IKE] received retransmit of request with ID 0, retransmitting response
> > Jun 27 05:21:58 gw8-2 charon: 11[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> > Jun 27 05:23:56 gw8-2 charon: 01[KNL] creating rekey job for ESP CHILD_SA with SPI c29fe285 and reqid {1}
> > Jun 27 05:23:56 gw8-2 charon: 15[IKE] queueing CHILD_REKEY task
> > Jun 27 05:23:56 gw8-2 charon: 15[IKE] activating new tasks
> > Jun 27 05:23:56 gw8-2 charon: 15[IKE] activating CHILD_REKEY task
> > Jun 27 05:23:56 gw8-2 charon: 15[IKE] establishing CHILD_SA gwhq{1}
> > Jun 27 05:23:56 gw8-2 charon: 15[ENC] generating CREATE_CHILD_SA request 2 [ N(REKEY_SA) N(USE_TRANSP) SA No TSi TSr ]
> > Jun 27 05:23:56 gw8-2 charon: 15[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> > Jun 27 05:24:00 gw8-2 charon: 09[IKE] retransmit 1 of request with message ID 2
> > Jun 27 05:24:00 gw8-2 charon: 09[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> > Jun 27 05:24:07 gw8-2 charon: 04[IKE] retransmit 2 of request with message ID 2
> > Jun 27 05:24:07 gw8-2 charon: 04[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> > Jun 27 05:24:10 gw8-2 charon: 01[KNL] creating rekey job for ESP CHILD_SA with SPI c815ae82 and reqid {1}
> > Jun 27 05:24:10 gw8-2 charon: 12[IKE] queueing CHILD_REKEY task
> > Jun 27 05:24:10 gw8-2 charon: 12[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress
> > Jun 27 05:24:20 gw8-2 charon: 14[IKE] retransmit 3 of request with message ID 2
> > Jun 27 05:24:20 gw8-2 charon: 14[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> > Jun 27 05:24:43 gw8-2 charon: 10[IKE] retransmit 4 of request with message ID 2
> > Jun 27 05:24:43 gw8-2 charon: 10[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> > Jun 27 05:25:25 gw8-2 charon: 13[IKE] retransmit 5 of request with message ID 2
> > Jun 27 05:25:25 gw8-2 charon: 13[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> > Jun 27 05:26:41 gw8-2 charon: 01[KNL] creating delete job for ESP CHILD_SA with SPI cdc08781 and reqid {1}
> > Jun 27 05:26:41 gw8-2 charon: 11[IKE] queueing CHILD_DELETE task
> > Jun 27 05:26:41 gw8-2 charon: 11[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress
> > Jun 27 05:26:41 gw8-2 charon: 15[IKE] giving up after 5 retransmits
> > Jun 27 05:26:41 gw8-2 charon: 15[IKE] IKE_SA gwhq[1] state change: ESTABLISHED => DESTROYING
> > Jun 27 05:26:41 gw8-2 charon: 15[KNL] received netlink error: No such process (3)
> > Jun 27 05:26:41 gw8-2 charon: 15[KNL] unable to delete SAD entry with SPI cdc08781
> >
> > Thanks - John
> <snip>
> Alas, I'm still having grief with this although it is down to a single
> problematic gateway. The problems with the AWS systems were the
> challenge of GRE / IPSec in a NAT environment like AWS. An old email
> said there was not a use case for NAT-T and Transport mode - this seems
> like one! I had to add leftsubnet parameters and set them to the real
> address while the left was set to the NAT address and then redefine the
> GRE setup to use the real rather than NAT address as its end point.
>
> But that did not fix one of the gateways. It seems absolutely identical
> to the working ones. I checked the date, key length, every line of the
> configuration files and included files yet it fails to renegotiate all
> of its connections. Here are the logs:
>
> Jun 28 18:44:47 gw8-2 charon: 09[NET] received packet: from y.y.140.68[4500] to x.x.219.226[4500]
> Jun 28 18:44:47 gw8-2 charon: 09[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi TSr ]
> Jun 28 18:44:47 gw8-2 charon: 09[IKE] received retransmit of request with ID 0, retransmitting response
> Jun 28 18:44:47 gw8-2 charon: 09[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
> Jun 28 18:44:48 gw8-2 charon: 01[KNL] received a XFRM_MSG_EXPIRE
> Jun 28 18:44:48 gw8-2 charon: 01[KNL] creating rekey job for ESP CHILD_SA with SPI c844dcc8 and reqid {7}
> Jun 28 18:44:48 gw8-2 charon: 10[IKE] queueing CHILD_REKEY task
> Jun 28 18:44:48 gw8-2 charon: 10[IKE] activating new tasks
> Jun 28 18:44:48 gw8-2 charon: 10[IKE] activating CHILD_REKEY task
> Jun 28 18:44:48 gw8-2 charon: 10[IKE] establishing CHILD_SA gw16-32{7}
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] getting SPI for reqid {7}
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] sending XFRM_MSG_ALLOCSPI: => 248 bytes @ 0x7f1ebd3da830
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] 0: F8 00 00 00 16 00 01 00 E3 01 00 00 88 0C 00 00 ................
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] 64: 00 00 00 00 00 00 00 00 04 1E DB E2 00 00 00 00 ................
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] 80: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] 96: 36 D7 8C 44 00 00 00 00 00 00 00 00 00 00 00 00 6..D............
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] 224: 07 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] 240: 00 00 00 C0 FF FF FF CF ........
> Jun 28 18:44:48 gw8-2 charon: 10[KNL] got SPI cd6de20e for reqid {7}
> Jun 28 18:44:48 gw8-2 charon: 10[IKE] IPComp is not supported if either peer is natted, IPComp disabled
> Jun 28 18:44:48 gw8-2 charon: 10[ENC] generating CREATE_CHILD_SA request 4 [ N(REKEY_SA) SA No TSi TSr ]
> Jun 28 18:44:48 gw8-2 charon: 10[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
> Jun 28 18:44:52 gw8-2 charon: 14[IKE] retransmit 1 of request with message ID 4
> Jun 28 18:44:52 gw8-2 charon: 14[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
> Jun 28 18:45:00 gw8-2 charon: 13[IKE] retransmit 2 of request with message ID 4
> Jun 28 18:45:00 gw8-2 charon: 13[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
> Jun 28 18:45:12 gw8-2 charon: 11[IKE] retransmit 3 of request with message ID 4
> Jun 28 18:45:12 gw8-2 charon: 11[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
> Jun 28 18:45:29 gw8-2 charon: 12[NET] received packet: from y.y.140.68[4500] to x.x.219.226[4500]
> Jun 28 18:45:29 gw8-2 charon: 12[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi TSr ]
> Jun 28 18:45:29 gw8-2 charon: 12[IKE] received retransmit of request with ID 0, retransmitting response
> Jun 28 18:45:29 gw8-2 charon: 12[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
> Jun 28 18:45:36 gw8-2 charon: 04[IKE] retransmit 4 of request with message ID 4
> Jun 28 18:45:36 gw8-2 charon: 04[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
> Jun 28 18:46:06 gw8-2 kernel: [49325.514878] IPTDROP IN=eth1 OUT= MAC=00:23:8b:97:f7:4e:00:11:bc:39:10:00:08:00 SRC=60.214.233.220 DST=x.x.219.227 LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=6000 DPT=8080 W
> Jun 28 18:46:06 gw8-2 kernel: [49325.516565] IPTDROP IN=eth1 OUT= MAC=00:23:8b:97:f7:4e:00:11:bc:39:10:00:08:00 SRC=60.214.233.220 DST=x.x.219.226 LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=6000 DPT=8080 W
> Jun 28 18:46:18 gw8-2 charon: 08[IKE] retransmit 5 of request with message ID 4
> Jun 28 18:46:18 gw8-2 charon: 08[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
> Jun 28 18:46:30 gw8-2 charon: 01[KNL] received a XFRM_MSG_EXPIRE
> Jun 28 18:46:30 gw8-2 charon: 01[KNL] creating rekey job for ESP CHILD_SA with SPI c9cbdc88 and reqid {7}
> Jun 28 18:46:30 gw8-2 charon: 09[IKE] queueing CHILD_REKEY task
> Jun 28 18:46:30 gw8-2 charon: 09[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress
> Jun 28 18:47:33 gw8-2 charon: 01[KNL] received a XFRM_MSG_EXPIRE
> Jun 28 18:47:33 gw8-2 charon: 01[KNL] creating delete job for ESP CHILD_SA with SPI cd6de20e and reqid {7}
> Jun 28 18:47:33 gw8-2 charon: 10[IKE] queueing CHILD_DELETE task
> Jun 28 18:47:33 gw8-2 charon: 10[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress
> Jun 28 18:47:33 gw8-2 charon: 14[IKE] giving up after 5 retransmits
> Jun 28 18:47:33 gw8-2 charon: 14[IKE] IKE_SA gw16-32[7] state change: ESTABLISHED => DESTROYING
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting SAD entry with SPI cd6de20e
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting SAD entry with SPI cd6de20e
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] sending XFRM_MSG_DELSA: => 40 bytes @ 0x7f1ebb3d6810
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 0: 28 00 00 00 11 00 05 00 E4 01 00 00 88 0C 00 00 (...............
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 16: 04 1E DB E2 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 32: CD 6D E2 0E 02 00 32 00 .m....2.
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] received netlink error: No such process (3)
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] unable to delete SAD entry with SPI cd6de20e
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting SAD entry with SPI c844dcc8
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] sending XFRM_MSG_DELSA: => 40 bytes @ 0x7f1ebb3d6860
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 0: 28 00 00 00 11 00 05 00 E5 01 00 00 88 0C 00 00 (...............
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 16: 04 1E DB E2 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 32: C8 44 DC C8 02 00 32 00 .D....2.
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleted SAD entry with SPI c844dcc8
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting SAD entry with SPI c9cbdc88
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] sending XFRM_MSG_DELSA: => 40 bytes @ 0x7f1ebb3d6860
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 0: 28 00 00 00 11 00 05 00 E6 01 00 00 88 0C 00 00 (...............
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 16: 36 D7 8C 44 00 00 00 00 00 00 00 00 00 00 00 00 6..D............
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 32: C9 CB DC 88 02 00 32 00 ......2.
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleted SAD entry with SPI c9cbdc88
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting policy x.x.219.226/32[gre] === n.n.32.254/32[gre] out
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] policy still used by another CHILD_SA, not removed
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting policy n.n.32.254/32[gre] === x.x.219.226/32[gre] in
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] policy still used by another CHILD_SA, not removed
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting policy n.n.32.254/32[gre] === x.x.219.226/32[gre] fwd
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] policy still used by another CHILD_SA, not removed
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting SAD entry with SPI cb432965
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] sending XFRM_MSG_DELSA: => 40 bytes @ 0x7f1ebb3d6860
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 0: 28 00 00 00 11 00 05 00 E7 01 00 00 88 0C 00 00 (...............
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 16: 04 1E DB E2 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 32: CB 43 29 65 02 00 32 00 .C)e..2.
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleted SAD entry with SPI cb432965
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting SAD entry with SPI c456e385
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] sending XFRM_MSG_DELSA: => 40 bytes @ 0x7f1ebb3d6860
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 0: 28 00 00 00 11 00 05 00 E8 01 00 00 88 0C 00 00 (...............
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 16: 36 D7 8C 44 00 00 00 00 00 00 00 00 00 00 00 00 6..D............
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 32: C4 56 E3 85 02 00 32 00 .V....2.
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleted SAD entry with SPI c456e385
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting policy x.x.219.226/32[gre] === n.n.32.254/32[gre] out
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] sending XFRM_MSG_DELPOLICY: => 80 bytes @ 0x7f1ebb3d6860
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 0: 50 00 00 00 14 00 05 00 E9 01 00 00 88 0C 00 00 P...............
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 16: AC 1F 20 FE 00 00 00 00 00 00 00 00 00 00 00 00 .. .............
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 32: 04 1E DB E2 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 48: 00 00 00 00 00 00 00 00 02 00 20 20 2F 00 00 00 .......... /...
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 64: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting policy n.n.32.254/32[gre] === x.x.219.226/32[gre] in
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] sending XFRM_MSG_DELPOLICY: => 80 bytes @ 0x7f1ebb3d6860
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 0: 50 00 00 00 14 00 05 00 EA 01 00 00 88 0C 00 00 P...............
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 16: 04 1E DB E2 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 32: AC 1F 20 FE 00 00 00 00 00 00 00 00 00 00 00 00 .. .............
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 48: 00 00 00 00 00 00 00 00 02 00 20 20 2F 00 00 00 .......... /...
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting policy n.n.32.254/32[gre] === x.x.219.226/32[gre] fwd
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] sending XFRM_MSG_DELPOLICY: => 80 bytes @ 0x7f1ebb3d6860
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 0: 50 00 00 00 14 00 05 00 EB 01 00 00 88 0C 00 00 P...............
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 16: 04 1E DB E2 00 00 00 00 00 00 00 00 00 00 00 00 ................
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 32: AC 1F 20 FE 00 00 00 00 00 00 00 00 00 00 00 00 .. .............
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 48: 00 00 00 00 00 00 00 00 02 00 20 20 2F 00 00 00 .......... /...
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] 64: 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ................
> Jun 28 18:47:33 gw8-2 charon: 14[KNL] getting iface index for eth1
>
> In my ignorance, nothing is jumping out at me as the problem. Any
> ideas? Thanks - John
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list