[strongSwan] Multiple Child_SAs are causing traffic drop

Joern Mewes joern.mewes at gmx.net
Mon Sep 30 11:18:30 CEST 2013 

Hi,

Sorry, I sent my email by mistake in html format.  Here again
converted into text:

I am having an issue with multiple child SAs of the same IKE-SA as a
result of an overlapping tunnel initiation caused by a network outage
between strongswan 5.0.4 and a VPN peer (Checkpoint firewall).

After re-establishing the connection it seems that both peers will
initiate a tunnel and as a result I will have two Child_SA pairs. At a
point of time I am observing that both peers are sending traffic with
SPIs belonging to different Child_SA pairs and the traffic is getting
dropped on the strongswan side.

Below is a trace between the strongswan (192.168.57.9) and the
Checkpoint firewall (192.168.30.165) taken once the problem is
occurring:

16:01:14.528702 IP 192.168.57.9 > 192.168.30.165:
ESP(spi=0xf9029d40,seq=0x66), length 132
16:01:14.529551 IP 192.168.30.165 > 192.168.57.9:
ESP(spi=0xc2088c97,seq=0x32), length 132
16:01:20.537286 IP 192.168.57.9 > 192.168.30.165:
ESP(spi=0xf9029d40,seq=0x67), length 132
16:01:20.538136 IP 192.168.30.165 > 192.168.57.9:
ESP(spi=0xc2088c97,seq=0x33), length 132
16:01:21.813363 IP 192.168.57.9 > 192.168.30.165:
ESP(spi=0xf9029d40,seq=0x68), length 116
16:01:21.813662 IP 192.168.30.165 > 192.168.57.9:
ESP(spi=0xc2088c97,seq=0x34), length 340

Strongwan is using  0xf9029d40 while Checkpoint is using 0xc2088c97.
“ipsec status” shows that these SPIs belong to different Child_SA
pairs.

oot at vpn-57:~/vpn/mass_test# ipsec statusall vpn-57-9
Status of IKE charon daemon (strongSwan 5.0.4, Linux
3.5.7-03050711-generic, x86_64):
  uptime: 51 minutes, since Sep 27 15:09:22 2013
  malloc: sbrk 1187840, mmap 0, used 1033936, free 153904
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
scheduled: 603
  loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp hmac gcm
attr kernel-netlink resolve socket-default stroke updown
Listening IP addresses:
  192.168.100.57
  10.31.11.57
  10.31.13.57
  10.31.12.57
  192.168.31.57
Connections:
    vpn-57-9:  192.168.57.9...192.168.30.165  IKEv2, dpddelay=10s
    vpn-57-9:   local:  [O=COMP, CN=vpn-57] uses public key authentication
    vpn-57-9:    cert:  "O=COMP, CN=vpn-57"
    vpn-57-9:   remote: [192.168.30.165] uses public key authentication
    vpn-57-9:   child:  10.57.11.9/32 === 10.22.11.9/32 TUNNEL,
dpdaction=restart
Routed Connections:
    vpn-57-9{9}:  ROUTED, TUNNEL
    vpn-57-9{9}:   10.57.11.9/32 === 10.22.11.9/32
Security Associations (150 up, 0 connecting):
    vpn-57-9[640]: ESTABLISHED 2 minutes ago, 192.168.57.9[O=COMP,
CN=vpn-57]...192.168.30.165[192.168.30.165]
    vpn-57-9[640]: IKEv2 SPIs: c6723f86b6eae6bd_i* 24497c2c09f76396_r,
rekeying in 14 minutes
    vpn-57-9[640]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    vpn-57-9{454}:  INSTALLED, TUNNEL, ESP SPIs: c3a797a1_i f9029d40_o
    vpn-57-9{454}:  AES_CBC_128/HMAC_SHA1_96, 4568 bytes_i (54 pkts,
93s ago), 11716 bytes_o (99 pkts, 1s ago), rekeying in 3 minutes
    vpn-57-9{454}:   10.57.11.9/32 === 10.22.11.9/32
    vpn-57-9{338}:  INSTALLED, TUNNEL, ESP SPIs: c2088c97_i de446e40_o
    vpn-57-9{338}:  AES_CBC_128/HMAC_SHA1_96, 4148 bytes_i (46 pkts,
1s ago), 0 bytes_o, rekeying in 5 minutes
    vpn-57-9{338}:   10.57.11.9/32 === 10.22.11.9/32

Based on the rekeying information (3min vs. 5min) I would say that
strongswan is using the older SA while Checkpoint is using the newer
one. Do you have an explanation for this? And if so, why is strongswan
dropping the packets encrypted with the newer (but valid) SPI? Is
there any way to solve this problem by reconfiguration?

Any help to troubleshoot and solve the problem would be really appreciated.

Thanks and have a nice day,
Joern

2013/9/27 Joern Mewes <joern.mewes at gmx.net>:
> Hi all,
>
> I am having an issue with multiple child SAs of the same IKE-SA as a result
> of an overlapping tunnel initiation caused by a network outage between
> strongswan 5.0.4 and a VPN peer (Checkpoint firewall).
>
> After re-establishing the connection it seems that both peers will initiate
> a tunnel and as a result I will have two Child_SA pairs. At a point of time
> I am observing that both peers are sending traffic with SPIs belonging to
> different Child_SA pairs and the traffic is getting dropped on the
> strongswan side.
>
> Below is a trace between the strongswan (192.168.57.9) and the Checkpoint
> firewall (192.168.30.165) taken once the problem is occurring:
>
> 16:01:14.528702 IP 192.168.57.9 > 192.168.30.165:
> ESP(spi=0xf9029d40,seq=0x66), length 132
> 16:01:14.529551 IP 192.168.30.165 > 192.168.57.9:
> ESP(spi=0xc2088c97,seq=0x32), length 132
> 16:01:20.537286 IP 192.168.57.9 > 192.168.30.165:
> ESP(spi=0xf9029d40,seq=0x67), length 132
> 16:01:20.538136 IP 192.168.30.165 > 192.168.57.9:
> ESP(spi=0xc2088c97,seq=0x33), length 132
> 16:01:21.813363 IP 192.168.57.9 > 192.168.30.165:
> ESP(spi=0xf9029d40,seq=0x68), length 116
> 16:01:21.813662 IP 192.168.30.165 > 192.168.57.9:
> ESP(spi=0xc2088c97,seq=0x34), length 340
>
> Strongwan is using  0xf9029d40 while Checkpoint is using 0xc2088c97. “ipsec
> status” shows that these SPIs belong to different Child_SA pairs.
>
> oot at vpn-57:~/vpn/mass_test# ipsec statusall vpn-57-9
> Status of IKE charon daemon (strongSwan 5.0.4, Linux 3.5.7-03050711-generic,
> x86_64):
>   uptime: 51 minutes, since Sep 27 15:09:22 2013
>   malloc: sbrk 1187840, mmap 0, used 1033936, free 153904
>   worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
> scheduled: 603
>   loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 constraints
> pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp hmac gcm attr kernel-netlink
> resolve socket-default stroke updown
> Listening IP addresses:
>   192.168.100.57
>   10.31.11.57
>   10.31.13.57
>   10.31.12.57
>   192.168.31.57
> Connections:
>     vpn-57-9:  192.168.57.9...192.168.30.165  IKEv2, dpddelay=10s
>     vpn-57-9:   local:  [O=COMP, CN=vpn-57] uses public key authentication
>     vpn-57-9:    cert:  "O=COMP, CN=vpn-57"
>     vpn-57-9:   remote: [192.168.30.165] uses public key authentication
>     vpn-57-9:   child:  10.57.11.9/32 === 10.22.11.9/32 TUNNEL,
> dpdaction=restart
> Routed Connections:
>     vpn-57-9{9}:  ROUTED, TUNNEL
>     vpn-57-9{9}:   10.57.11.9/32 === 10.22.11.9/32
> Security Associations (150 up, 0 connecting):
>     vpn-57-9[640]: ESTABLISHED 2 minutes ago, 192.168.57.9[O=COMP,
> CN=vpn-57]...192.168.30.165[192.168.30.165]
>     vpn-57-9[640]: IKEv2 SPIs: c6723f86b6eae6bd_i* 24497c2c09f76396_r,
> rekeying in 14 minutes
>     vpn-57-9[640]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>     vpn-57-9{454}:  INSTALLED, TUNNEL, ESP SPIs: c3a797a1_i f9029d40_o
>     vpn-57-9{454}:  AES_CBC_128/HMAC_SHA1_96, 4568 bytes_i (54 pkts, 93s
> ago), 11716 bytes_o (99 pkts, 1s ago), rekeying in 3 minutes
>     vpn-57-9{454}:   10.57.11.9/32 === 10.22.11.9/32
>     vpn-57-9{338}:  INSTALLED, TUNNEL, ESP SPIs: c2088c97_i de446e40_o
>     vpn-57-9{338}:  AES_CBC_128/HMAC_SHA1_96, 4148 bytes_i (46 pkts, 1s
> ago), 0 bytes_o, rekeying in 5 minutes
>     vpn-57-9{338}:   10.57.11.9/32 === 10.22.11.9/32
>
> Based on the rekeying information (3min vs. 5min) I would say that
> strongswan is using the older SA while Checkpoint is using the newer one. Do
> you have an explanation for this? And if so, why is strongswan dropping the
> packets encrypted with the newer (but valid) SPI? Is there any way to solve
> this problem by reconfiguration?
>
> Any help to troubleshoot and solve the problem would be really appriciated.
>
> Thanks and have a nice day,
> Joern
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list