[strongSwan] Rekeying fails

John A. Sullivan III jsullivan at opensourcedevel.com
Sat Jun 29 01:32:47 CEST 2013


On Thu, 2013-06-27 at 05:33 -0400, John A. Sullivan III wrote:
> On Thu, 2013-06-27 at 04:36 -0400, John A. Sullivan III wrote:
> > Hello, all.  I am using Linux strongSwan U4.5.2/K3.2.0-23-generic on
> > Ubuntu 12.04 to protect GRE tunnels containing OSPF among other things
> > using transport mode with certificates.  There are two bare metal
> > instances running from our data centers and two EC2 instances in
> > Amazon's cloud (which must use nat traversal).  It makes no difference
> > in that all the sessions fail to rekey - data center to data center and
> > data center to cloud.  The connections are successfully established when
> > ipsec starts but simply fail to rekey.
> > 
> > I can see the rekey attempts but they fail:
> > 
> > Jun 26 12:30:35 gw8-2 charon: 10[IKE] queueing IKE_REAUTH task
> > Jun 26 12:30:35 gw8-2 charon: 10[IKE] activating new tasks 
> > Jun 26 12:30:35 gw8-2 charon: 10[IKE]   activating IKE_REAUTH task
> > Jun 26 12:30:35 gw8-2 charon: 10[IKE] deleting IKE_SA gw16-32[2] between x.x.219.226[CN=datacentergw, OU=VPN, DC=mycompany, DC=com]...y.y.140.68[CN=cloudgw, OU=VPN, DC=mycompany . . 
> > Jun 26 12:30:35 gw8-2 charon: 10[IKE] IKE_SA gw16-32[2] state change: ESTABLISHED => DELETING
> > Jun 26 12:30:35 gw8-2 charon: 10[IKE] sending DELETE for IKE_SA gw16-32[2]
> > Jun 26 12:30:35 gw8-2 charon: 10[ENC] generating INFORMATIONAL request 1122 [ D ]
> > Jun 26 12:30:35 gw8-2 charon: 10[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
> > Jun 26 12:30:35 gw8-2 charon: 12[NET] received packet: from y.y.140.68[4500] to x.x.219.226[4500]
> > Jun 26 12:30:35 gw8-2 charon: 12[ENC] parsed INFORMATIONAL response 1122 [ ]
> > Jun 26 12:30:35 gw8-2 charon: 12[IKE] IKE_SA deleted
> > Jun 26 12:30:35 gw8-2 charon: 12[IKE] unable to reauthenticate IKE_SA, no CHILD_SA to recreate
> > Jun 26 12:30:35 gw8-2 charon: 12[IKE] IKE_SA gw16-32[2] state change: DELETING => DESTROYING
> > 
> > I've tried disabling mobike.  I've tried setting dpdaction=restart and
> > hold.  I've tried setting reauth=no.
> > 
> > Here is a typical configuration:
> > config setup
> >         plutodebug=all
> >         charondebug="ike 4"
> >         nat_traversal=yes
> >         charonstart=yes
> >         plutostart=yes
> > 
> > conn %default
> >         left=x.x.219.226 # Do NOT use %default route as that may change with OSPF
> >         leftrsasigkey=%cert
> >         leftcert=cert1.pem
> >         leftid="CN=datacentergw,OU=VPN,DC=mycompany,DC=com"
> >         keyingtries=20
> >         authby=rsasig
> >         rightrsasigkey=%cert
> >         keylife=60m
> >         rekeymargin=5m
> >         ikelifetime=3h
> >         reauth=no
> >         mobike=no
> >         auto=ignore
> > 
> > 
> > include /etc/ipsec.d/remotenets/*.conf
> > 
> > 
> > conn gw16-48
> >         right=y.y.137.197
> >         rightid="CN=cloudgw,OU=VPN,DC=mycompany,DC=com"
> >         also=gre
> >         auto=start
> > 
> > conn gre
> >         type=transport
> >         leftprotoport=47
> >         rightprotoport=47
> >         dpddelay=9
> >         dpdtimeout=30
> >         #dpdaction=restart
> >         compress=yes
> > 
> > What am I doing wrong? Thanks - John
> > 
> <snip>
> 
> Here is an example of a data center to data center (no nat-t) failure:
> 
> Jun 27 05:20:29 gw8-2 charon: 15[NET] received packet: from y.y.118.3[500] to x.x.219.226[500] 
> Jun 27 05:20:29 gw8-2 charon: 15[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
> Jun 27 05:20:29 gw8-2 charon: 15[IKE] received IPCOMP_SUPPORTED notify but IPComp is disabled, ignoring
> Jun 27 05:20:29 gw8-2 charon: 15[IKE] CHILD_SA gwhq{1} established with SPIs c4dd72af_i cb5ce504_o and TS x.x.219.226/32[gre] === y.y.118.3/32[gre]
> Jun 27 05:20:29 gw8-2 charon: 15[ENC] generating CREATE_CHILD_SA response 0 [ N(USE_TRANSP) SA No TSi TSr ]
> Jun 27 05:20:29 gw8-2 charon: 15[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> Jun 27 05:20:33 gw8-2 charon: 09[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
> Jun 27 05:20:33 gw8-2 charon: 09[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
> Jun 27 05:20:33 gw8-2 charon: 09[IKE] received retransmit of request with ID 0, retransmitting response
> Jun 27 05:20:33 gw8-2 charon: 09[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> Jun 27 05:20:40 gw8-2 charon: 04[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
> Jun 27 05:20:40 gw8-2 charon: 04[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
> Jun 27 05:20:40 gw8-2 charon: 04[IKE] received retransmit of request with ID 0, retransmitting response
> Jun 27 05:20:40 gw8-2 charon: 04[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> Jun 27 05:20:53 gw8-2 charon: 12[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
> Jun 27 05:20:53 gw8-2 charon: 12[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
> Jun 27 05:20:53 gw8-2 charon: 12[IKE] received retransmit of request with ID 0, retransmitting response
> Jun 27 05:20:53 gw8-2 charon: 12[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> Jun 27 05:21:02 gw8-2 charon: 10[IKE] keeping connection path x.x.219.226 - y.y.118.3   
> Jun 27 05:21:16 gw8-2 charon: 13[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
> Jun 27 05:21:16 gw8-2 charon: 13[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
> Jun 27 05:21:16 gw8-2 charon: 13[IKE] received retransmit of request with ID 0, retransmitting response
> Jun 27 05:21:16 gw8-2 charon: 13[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> Jun 27 05:21:58 gw8-2 charon: 11[NET] received packet: from y.y.118.3[500] to x.x.219.226[500]
> Jun 27 05:21:58 gw8-2 charon: 11[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(IPCOMP_SUPP) N(USE_TRANSP) SA No TSi TSr ]
> Jun 27 05:21:58 gw8-2 charon: 11[IKE] received retransmit of request with ID 0, retransmitting response
> Jun 27 05:21:58 gw8-2 charon: 11[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> Jun 27 05:23:56 gw8-2 charon: 01[KNL] creating rekey job for ESP CHILD_SA with SPI c29fe285 and reqid {1}
> Jun 27 05:23:56 gw8-2 charon: 15[IKE] queueing CHILD_REKEY task
> Jun 27 05:23:56 gw8-2 charon: 15[IKE] activating new tasks
> Jun 27 05:23:56 gw8-2 charon: 15[IKE]   activating CHILD_REKEY task
> Jun 27 05:23:56 gw8-2 charon: 15[IKE] establishing CHILD_SA gwhq{1}
> Jun 27 05:23:56 gw8-2 charon: 15[ENC] generating CREATE_CHILD_SA request 2 [ N(REKEY_SA) N(USE_TRANSP) SA No TSi TSr ]
> Jun 27 05:23:56 gw8-2 charon: 15[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> Jun 27 05:24:00 gw8-2 charon: 09[IKE] retransmit 1 of request with message ID 2
> Jun 27 05:24:00 gw8-2 charon: 09[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> Jun 27 05:24:07 gw8-2 charon: 04[IKE] retransmit 2 of request with message ID 2
> Jun 27 05:24:07 gw8-2 charon: 04[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> Jun 27 05:24:10 gw8-2 charon: 01[KNL] creating rekey job for ESP CHILD_SA with SPI c815ae82 and reqid {1}
> Jun 27 05:24:10 gw8-2 charon: 12[IKE] queueing CHILD_REKEY task
> Jun 27 05:24:10 gw8-2 charon: 12[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress
> Jun 27 05:24:20 gw8-2 charon: 14[IKE] retransmit 3 of request with message ID 2
> Jun 27 05:24:20 gw8-2 charon: 14[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> Jun 27 05:24:43 gw8-2 charon: 10[IKE] retransmit 4 of request with message ID 2
> Jun 27 05:24:43 gw8-2 charon: 10[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> Jun 27 05:25:25 gw8-2 charon: 13[IKE] retransmit 5 of request with message ID 2
> Jun 27 05:25:25 gw8-2 charon: 13[NET] sending packet: from x.x.219.226[500] to y.y.118.3[500]
> Jun 27 05:26:41 gw8-2 charon: 01[KNL] creating delete job for ESP CHILD_SA with SPI cdc08781 and reqid {1}
> Jun 27 05:26:41 gw8-2 charon: 11[IKE] queueing CHILD_DELETE task
> Jun 27 05:26:41 gw8-2 charon: 11[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress
> Jun 27 05:26:41 gw8-2 charon: 15[IKE] giving up after 5 retransmits
> Jun 27 05:26:41 gw8-2 charon: 15[IKE] IKE_SA gwhq[1] state change: ESTABLISHED => DESTROYING
> Jun 27 05:26:41 gw8-2 charon: 15[KNL] received netlink error: No such process (3)
> Jun 27 05:26:41 gw8-2 charon: 15[KNL] unable to delete SAD entry with SPI cdc08781
> 
> Thanks - John
<snip>
Alas, I'm still having grief with this although it is down to a single
problematic gateway.  The problems with the AWS systems were the
challenge of GRE / IPSec in a NAT environment like AWS.  An old email
said there was not a use case for NAT-T and Transport mode - this seems
like one! I had to add leftsubnet parameters and set them to the real
address while the left was set to the NAT address and then redefine the
GRE setup to use the real rather than NAT address as its end point.

But that did not fix one of the gateways.  It seems absolutely identical
to the working ones.  I checked the date, key length, every line of the
configuration files and included files yet it fails to renegotiate all
of its connections.  Here are the logs:

Jun 28 18:44:47 gw8-2 charon: 09[NET] received packet: from y.y.140.68[4500] to x.x.219.226[4500]
Jun 28 18:44:47 gw8-2 charon: 09[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi TSr ] 
Jun 28 18:44:47 gw8-2 charon: 09[IKE] received retransmit of request with ID 0, retransmitting response
Jun 28 18:44:47 gw8-2 charon: 09[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]   
Jun 28 18:44:48 gw8-2 charon: 01[KNL] received a XFRM_MSG_EXPIRE
Jun 28 18:44:48 gw8-2 charon: 01[KNL] creating rekey job for ESP CHILD_SA with SPI c844dcc8 and reqid {7}
Jun 28 18:44:48 gw8-2 charon: 10[IKE] queueing CHILD_REKEY task
Jun 28 18:44:48 gw8-2 charon: 10[IKE] activating new tasks
Jun 28 18:44:48 gw8-2 charon: 10[IKE]   activating CHILD_REKEY task
Jun 28 18:44:48 gw8-2 charon: 10[IKE] establishing CHILD_SA gw16-32{7}
Jun 28 18:44:48 gw8-2 charon: 10[KNL] getting SPI for reqid {7}
Jun 28 18:44:48 gw8-2 charon: 10[KNL] sending XFRM_MSG_ALLOCSPI: => 248 bytes @ 0x7f1ebd3da830
Jun 28 18:44:48 gw8-2 charon: 10[KNL]    0: F8 00 00 00 16 00 01 00 E3 01 00 00 88 0C 00 00  ................
Jun 28 18:44:48 gw8-2 charon: 10[KNL]   16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:44:48 gw8-2 charon: 10[KNL]   32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:44:48 gw8-2 charon: 10[KNL]   48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:44:48 gw8-2 charon: 10[KNL]   64: 00 00 00 00 00 00 00 00 04 1E DB E2 00 00 00 00  ................
Jun 28 18:44:48 gw8-2 charon: 10[KNL]   80: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00  ............2...
Jun 28 18:44:48 gw8-2 charon: 10[KNL]   96: 36 D7 8C 44 00 00 00 00 00 00 00 00 00 00 00 00  6..D............
Jun 28 18:44:48 gw8-2 charon: 10[KNL]  112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:44:48 gw8-2 charon: 10[KNL]  128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:44:48 gw8-2 charon: 10[KNL]  144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:44:48 gw8-2 charon: 10[KNL]  160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:44:48 gw8-2 charon: 10[KNL]  176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:44:48 gw8-2 charon: 10[KNL]  192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:44:48 gw8-2 charon: 10[KNL]  208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:44:48 gw8-2 charon: 10[KNL]  224: 07 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:44:48 gw8-2 charon: 10[KNL]  240: 00 00 00 C0 FF FF FF CF                          ........
Jun 28 18:44:48 gw8-2 charon: 10[KNL] got SPI cd6de20e for reqid {7}
Jun 28 18:44:48 gw8-2 charon: 10[IKE] IPComp is not supported if either peer is natted, IPComp disabled
Jun 28 18:44:48 gw8-2 charon: 10[ENC] generating CREATE_CHILD_SA request 4 [ N(REKEY_SA) SA No TSi TSr ]
Jun 28 18:44:48 gw8-2 charon: 10[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
Jun 28 18:44:52 gw8-2 charon: 14[IKE] retransmit 1 of request with message ID 4
Jun 28 18:44:52 gw8-2 charon: 14[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
Jun 28 18:45:00 gw8-2 charon: 13[IKE] retransmit 2 of request with message ID 4
Jun 28 18:45:00 gw8-2 charon: 13[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
Jun 28 18:45:12 gw8-2 charon: 11[IKE] retransmit 3 of request with message ID 4
Jun 28 18:45:12 gw8-2 charon: 11[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
Jun 28 18:45:29 gw8-2 charon: 12[NET] received packet: from y.y.140.68[4500] to x.x.219.226[4500]
Jun 28 18:45:29 gw8-2 charon: 12[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi TSr ] 
Jun 28 18:45:29 gw8-2 charon: 12[IKE] received retransmit of request with ID 0, retransmitting response
Jun 28 18:45:29 gw8-2 charon: 12[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]   
Jun 28 18:45:36 gw8-2 charon: 04[IKE] retransmit 4 of request with message ID 4
Jun 28 18:45:36 gw8-2 charon: 04[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
Jun 28 18:46:06 gw8-2 kernel: [49325.514878] IPTDROP IN=eth1 OUT= MAC=00:23:8b:97:f7:4e:00:11:bc:39:10:00:08:00 SRC=60.214.233.220 DST=x.x.219.227 LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=6000 DPT=8080 W
Jun 28 18:46:06 gw8-2 kernel: [49325.516565] IPTDROP IN=eth1 OUT= MAC=00:23:8b:97:f7:4e:00:11:bc:39:10:00:08:00 SRC=60.214.233.220 DST=x.x.219.226 LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=6000 DPT=8080 W
Jun 28 18:46:18 gw8-2 charon: 08[IKE] retransmit 5 of request with message ID 4
Jun 28 18:46:18 gw8-2 charon: 08[NET] sending packet: from x.x.219.226[4500] to y.y.140.68[4500]
Jun 28 18:46:30 gw8-2 charon: 01[KNL] received a XFRM_MSG_EXPIRE
Jun 28 18:46:30 gw8-2 charon: 01[KNL] creating rekey job for ESP CHILD_SA with SPI c9cbdc88 and reqid {7}
Jun 28 18:46:30 gw8-2 charon: 09[IKE] queueing CHILD_REKEY task
Jun 28 18:46:30 gw8-2 charon: 09[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress
Jun 28 18:47:33 gw8-2 charon: 01[KNL] received a XFRM_MSG_EXPIRE
Jun 28 18:47:33 gw8-2 charon: 01[KNL] creating delete job for ESP CHILD_SA with SPI cd6de20e and reqid {7}
Jun 28 18:47:33 gw8-2 charon: 10[IKE] queueing CHILD_DELETE task
Jun 28 18:47:33 gw8-2 charon: 10[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress
Jun 28 18:47:33 gw8-2 charon: 14[IKE] giving up after 5 retransmits
Jun 28 18:47:33 gw8-2 charon: 14[IKE] IKE_SA gw16-32[7] state change: ESTABLISHED => DESTROYING
Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting SAD entry with SPI cd6de20e
Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting SAD entry with SPI cd6de20e
Jun 28 18:47:33 gw8-2 charon: 14[KNL] sending XFRM_MSG_DELSA: => 40 bytes @ 0x7f1ebb3d6810
Jun 28 18:47:33 gw8-2 charon: 14[KNL]    0: 28 00 00 00 11 00 05 00 E4 01 00 00 88 0C 00 00  (...............
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   16: 04 1E DB E2 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   32: CD 6D E2 0E 02 00 32 00                          .m....2.
Jun 28 18:47:33 gw8-2 charon: 14[KNL] received netlink error: No such process (3)
Jun 28 18:47:33 gw8-2 charon: 14[KNL] unable to delete SAD entry with SPI cd6de20e
Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting SAD entry with SPI c844dcc8
Jun 28 18:47:33 gw8-2 charon: 14[KNL] sending XFRM_MSG_DELSA: => 40 bytes @ 0x7f1ebb3d6860
Jun 28 18:47:33 gw8-2 charon: 14[KNL]    0: 28 00 00 00 11 00 05 00 E5 01 00 00 88 0C 00 00  (...............
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   16: 04 1E DB E2 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   32: C8 44 DC C8 02 00 32 00                          .D....2.
Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleted SAD entry with SPI c844dcc8
Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting SAD entry with SPI c9cbdc88
Jun 28 18:47:33 gw8-2 charon: 14[KNL] sending XFRM_MSG_DELSA: => 40 bytes @ 0x7f1ebb3d6860
Jun 28 18:47:33 gw8-2 charon: 14[KNL]    0: 28 00 00 00 11 00 05 00 E6 01 00 00 88 0C 00 00  (...............
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   16: 36 D7 8C 44 00 00 00 00 00 00 00 00 00 00 00 00  6..D............
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   32: C9 CB DC 88 02 00 32 00                          ......2.
Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleted SAD entry with SPI c9cbdc88
Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting policy x.x.219.226/32[gre] === n.n.32.254/32[gre] out
Jun 28 18:47:33 gw8-2 charon: 14[KNL] policy still used by another CHILD_SA, not removed
Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting policy n.n.32.254/32[gre] === x.x.219.226/32[gre] in
Jun 28 18:47:33 gw8-2 charon: 14[KNL] policy still used by another CHILD_SA, not removed
Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting policy n.n.32.254/32[gre] === x.x.219.226/32[gre] fwd
Jun 28 18:47:33 gw8-2 charon: 14[KNL] policy still used by another CHILD_SA, not removed
Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting SAD entry with SPI cb432965
Jun 28 18:47:33 gw8-2 charon: 14[KNL] sending XFRM_MSG_DELSA: => 40 bytes @ 0x7f1ebb3d6860
Jun 28 18:47:33 gw8-2 charon: 14[KNL]    0: 28 00 00 00 11 00 05 00 E7 01 00 00 88 0C 00 00  (...............
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   16: 04 1E DB E2 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   32: CB 43 29 65 02 00 32 00                          .C)e..2.
Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleted SAD entry with SPI cb432965
Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting SAD entry with SPI c456e385
Jun 28 18:47:33 gw8-2 charon: 14[KNL] sending XFRM_MSG_DELSA: => 40 bytes @ 0x7f1ebb3d6860
Jun 28 18:47:33 gw8-2 charon: 14[KNL]    0: 28 00 00 00 11 00 05 00 E8 01 00 00 88 0C 00 00  (...............
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   16: 36 D7 8C 44 00 00 00 00 00 00 00 00 00 00 00 00  6..D............
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   32: C4 56 E3 85 02 00 32 00                          .V....2.
Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleted SAD entry with SPI c456e385
Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting policy x.x.219.226/32[gre] === n.n.32.254/32[gre] out
Jun 28 18:47:33 gw8-2 charon: 14[KNL] sending XFRM_MSG_DELPOLICY: => 80 bytes @ 0x7f1ebb3d6860
Jun 28 18:47:33 gw8-2 charon: 14[KNL]    0: 50 00 00 00 14 00 05 00 E9 01 00 00 88 0C 00 00  P...............
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   16: AC 1F 20 FE 00 00 00 00 00 00 00 00 00 00 00 00  .. .............
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   32: 04 1E DB E2 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   48: 00 00 00 00 00 00 00 00 02 00 20 20 2F 00 00 00  ..........  /...
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   64: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00  ................
Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting policy n.n.32.254/32[gre] === x.x.219.226/32[gre] in
Jun 28 18:47:33 gw8-2 charon: 14[KNL] sending XFRM_MSG_DELPOLICY: => 80 bytes @ 0x7f1ebb3d6860
Jun 28 18:47:33 gw8-2 charon: 14[KNL]    0: 50 00 00 00 14 00 05 00 EA 01 00 00 88 0C 00 00  P...............
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   16: 04 1E DB E2 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   32: AC 1F 20 FE 00 00 00 00 00 00 00 00 00 00 00 00  .. .............
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   48: 00 00 00 00 00 00 00 00 02 00 20 20 2F 00 00 00  ..........  /...
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:47:33 gw8-2 charon: 14[KNL] deleting policy n.n.32.254/32[gre] === x.x.219.226/32[gre] fwd
Jun 28 18:47:33 gw8-2 charon: 14[KNL] sending XFRM_MSG_DELPOLICY: => 80 bytes @ 0x7f1ebb3d6860
Jun 28 18:47:33 gw8-2 charon: 14[KNL]    0: 50 00 00 00 14 00 05 00 EB 01 00 00 88 0C 00 00  P...............
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   16: 04 1E DB E2 00 00 00 00 00 00 00 00 00 00 00 00  ................
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   32: AC 1F 20 FE 00 00 00 00 00 00 00 00 00 00 00 00  .. .............
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   48: 00 00 00 00 00 00 00 00 02 00 20 20 2F 00 00 00  ..........  /...
Jun 28 18:47:33 gw8-2 charon: 14[KNL]   64: 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00  ................
Jun 28 18:47:33 gw8-2 charon: 14[KNL] getting iface index for eth1

In my ignorance, nothing is jumping out at me as the problem.  Any
ideas? Thanks - John





More information about the Users mailing list