[strongSwan] Rekeying fails
John A. Sullivan III
jsullivan at opensourcedevel.com
Thu Jun 27 11:33:36 CEST 2013
On Thu, 2013-06-27 at 04:36 -0400, John A. Sullivan III wrote:
> Hello, all. I am using Linux strongSwan U4.5.2/K3.2.0-23-generic on
> Ubuntu 12.04 to protect GRE tunnels containing OSPF among other things
> using transport mode with certificates. There are two bare metal
> instances running from our data centers and two EC2 instances in
> Amazon's cloud (which must use nat traversal). It makes no difference
> in that all the sessions fail to rekey - data center to data center and
> data center to cloud. The connections are successfully established when
> ipsec starts but simply fail to rekey.
>
> I can see the rekey attempts but they fail:
>
> Jun 26 12:30:35 gw8-2 charon: 10[IKE] queueing IKE_REAUTH task
> Jun 26 12:30:35 gw8-2 charon: 10[IKE] activating new tasks
> Jun 26 12:30:35 gw8-2 charon: 10[IKE] activating IKE_REAUTH task
> Jun 26 12:30:35 gw8-2 charon: 10[IKE] deleting IKE_SA gw16-32[2] between x.x.219.226[CN=datacentergw, OU=VPN, DC=mycompany, DC=com]...y.y.140.68[CN=cloudgw, OU=VPN, DC=mycompany . .
> Jun 26 12:30:35 gw8-2 charon: 10[IKE] IKE_SA gw16-32[2] state change: ESTABLISHED => DELETING
> Jun 26 12:30:35 gw8-2 charon: 10[IKE] sending DELETE for IKE_SA gw16-32[2]
> Jun 26 12:30:35 gw8-2 charon: 10[ENC] generating INFORMATIONAL request 1122 [ D ]
> Jun 26 12:30:35 gw8-2 charon: 10[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
> Jun 26 12:30:35 gw8-2 charon: 12[NET] received packet: from y.y.140.68[4500] to x.x.219.226[4500]
> Jun 26 12:30:35 gw8-2 charon: 12[ENC] parsed INFORMATIONAL response 1122 [ ]
> Jun 26 12:30:35 gw8-2 charon: 12[IKE] IKE_SA deleted
> Jun 26 12:30:35 gw8-2 charon: 12[IKE] unable to reauthenticate IKE_SA, no CHILD_SA to recreate
> Jun 26 12:30:35 gw8-2 charon: 12[IKE] IKE_SA gw16-32[2] state change: DELETING => DESTROYING
>
> I've tried disabling mobike. I've tried setting dpdaction=restart and
> hold. I've tried setting reauth=no.
>
> Here is a typical configuration:
> config setup
> plutodebug=all
> charondebug="ike 4"
> nat_traversal=yes
> charonstart=yes
> plutostart=yes
>
> conn %default
> left=x.x.219.226 # Do NOT use %default route as that may change with OSPF
> leftrsasigkey=%cert
> leftcert=cert1.pem
> leftid="CN=datacentergw,OU=VPN,DC=mycompany,DC=com"
> keyingtries=20
> authby=rsasig
> rightrsasigkey=%cert
> keylife=60m
> rekeymargin=5m
> ikelifetime=3h
> reauth=no
> mobike=no
> auto=ignore
>
>
> include /etc/ipsec.d/remotenets/*.conf
>
>
> conn gw16-48
> right=y.y.137.197
> rightid="CN=cloudgw,OU=VPN,DC=mycompany,DC=com"
> also=gre
> auto=start
>
> conn gre
> type=transport
> leftprotoport=47
> rightprotoport=47
> dpddelay=9
> dpdtimeout=30
> #dpdaction=restart
> compress=yes
>
> What am I doing wrong? Thanks - John
>
<snip>
Here is an example of a data center to data center (no nat-t) failure:
Jun 27 05:20:29 gw8-2 charon: 15[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
Jun 27 05:20:29 gw8-2 charon: 15[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
Jun 27 05:20:29 gw8-2 charon: 15[IKE] received IPCOMP_SUPPORTED notify but IPComp is disabled, ignoring
Jun 27 05:20:29 gw8-2 charon: 15[IKE] CHILD_SA gwhq{1} established with SPIs c4dd72af_i cb5ce504_o and TS x.x.219.226/32[gre] === y.y.118.3/32[gre]
Jun 27 05:20:29 gw8-2 charon: 15[ENC] generating CREATE_CHILD_SA response 0 [ N(USE_TRANSP) SA No TSi TSr ]
Jun 27 05:20:29 gw8-2 charon: 15[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
Jun 27 05:20:33 gw8-2 charon: 09[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
Jun 27 05:20:33 gw8-2 charon: 09[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
Jun 27 05:20:33 gw8-2 charon: 09[IKE] received retransmit of request with ID 0, retransmitting response
Jun 27 05:20:33 gw8-2 charon: 09[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
Jun 27 05:20:40 gw8-2 charon: 04[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
Jun 27 05:20:40 gw8-2 charon: 04[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
Jun 27 05:20:40 gw8-2 charon: 04[IKE] received retransmit of request with ID 0, retransmitting response
Jun 27 05:20:40 gw8-2 charon: 04[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
Jun 27 05:20:53 gw8-2 charon: 12[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
Jun 27 05:20:53 gw8-2 charon: 12[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
Jun 27 05:20:53 gw8-2 charon: 12[IKE] received retransmit of request with ID 0, retransmitting response
Jun 27 05:20:53 gw8-2 charon: 12[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
Jun 27 05:21:02 gw8-2 charon: 10[IKE] keeping connection path x.x.219.226 - y.y.118.3
Jun 27 05:21:16 gw8-2 charon: 13[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
Jun 27 05:21:16 gw8-2 charon: 13[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
Jun 27 05:21:16 gw8-2 charon: 13[IKE] received retransmit of request with ID 0, retransmitting response
Jun 27 05:21:16 gw8-2 charon: 13[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
Jun 27 05:21:58 gw8-2 charon: 11[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
Jun 27 05:21:58 gw8-2 charon: 11[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
Jun 27 05:21:58 gw8-2 charon: 11[IKE] received retransmit of request with ID 0, retransmitting response
Jun 27 05:21:58 gw8-2 charon: 11[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
Jun 27 05:23:56 gw8-2 charon: 01[KNL] creating rekey job for ESP CHILD_SA with SPI c29fe285 and reqid {1}
Jun 27 05:23:56 gw8-2 charon: 15[IKE] queueing CHILD_REKEY task
Jun 27 05:23:56 gw8-2 charon: 15[IKE] activating new tasks
Jun 27 05:23:56 gw8-2 charon: 15[IKE] activating CHILD_REKEY task
Jun 27 05:23:56 gw8-2 charon: 15[IKE] establishing CHILD_SA gwhq{1}
Jun 27 05:23:56 gw8-2 charon: 15[ENC] generating CREATE_CHILD_SA request 2 [ N(REKEY_SA) N(USE_TRANSP) SA No TSi TSr ]
Jun 27 05:23:56 gw8-2 charon: 15[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
Jun 27 05:24:00 gw8-2 charon: 09[IKE] retransmit 1 of request with message ID 2
Jun 27 05:24:00 gw8-2 charon: 09[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
Jun 27 05:24:07 gw8-2 charon: 04[IKE] retransmit 2 of request with message ID 2
Jun 27 05:24:07 gw8-2 charon: 04[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
Jun 27 05:24:10 gw8-2 charon: 01[KNL] creating rekey job for ESP CHILD_SA with SPI c815ae82 and reqid {1}
Jun 27 05:24:10 gw8-2 charon: 12[IKE] queueing CHILD_REKEY task
Jun 27 05:24:10 gw8-2 charon: 12[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress
Jun 27 05:24:20 gw8-2 charon: 14[IKE] retransmit 3 of request with message ID 2
Jun 27 05:24:20 gw8-2 charon: 14[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
Jun 27 05:24:43 gw8-2 charon: 10[IKE] retransmit 4 of request with message ID 2
Jun 27 05:24:43 gw8-2 charon: 10[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
Jun 27 05:25:25 gw8-2 charon: 13[IKE] retransmit 5 of request with message ID 2
Jun 27 05:25:25 gw8-2 charon: 13[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
Jun 27 05:26:41 gw8-2 charon: 01[KNL] creating delete job for ESP CHILD_SA with SPI cdc08781 and reqid {1}
Jun 27 05:26:41 gw8-2 charon: 11[IKE] queueing CHILD_DELETE task
Jun 27 05:26:41 gw8-2 charon: 11[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress
Jun 27 05:26:41 gw8-2 charon: 15[IKE] giving up after 5 retransmits
Jun 27 05:26:41 gw8-2 charon: 15[IKE] IKE_SA gwhq[1] state change: ESTABLISHED => DESTROYING
Jun 27 05:26:41 gw8-2 charon: 15[KNL] received netlink error: No such process (3)
Jun 27 05:26:41 gw8-2 charon: 15[KNL] unable to delete SAD entry with SPI cdc08781
Thanks - John
More information about the Users
mailing list