[strongSwan] [IKEv2 Mobike] error uninstalling route installed with policy

Tobias Brunner tobias at strongswan.org
Thu Aug 21 18:30:26 CEST 2014


Hi Amy,

> Is this error cause ping fail?
> error uninstalling route installed with policy
> 192.168.168.0/24 === 172.16.1.20/32 fwd

That's normal.  Because the interface that was referenced in this route
(eth1) disappeared, the route was already removed by the kernel when
charon eventually tries to uninstall it, so you get this error/warning.

Your main problem is this:

> Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry
> with SPI c84ed7a1
> Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry
> with SPI 0dbbeb51

For some reason retrieving the current ESP sequence numbers for these
SAs failed on your system.

Because we can't update the IPsec SAs installed in the kernel directly,
but have to delete and reinstall them instead, we need to copy the old
replay state to the new SA.  If that fails the newly installed SAs can't
be used as the sequence numbers aren't in-sync between the two peers.
I'm not sure when this could actually fail.  The XFRM_MSG_GETAE query
seems to have been successful (you'd have gotten an additional error
otherwise), and I don't see how the kernel could not return the
requested state without reporting an error.

You could try to add some DBG statements in get_replay_state() in
kernel_netlink_ipsec.c to see what's going on (e.g. what message types
the kernel returns or what attribute types if out_aevent is assigned).

What kernel version do you use?  What strongSwan version?  Any custom
patches applied to either one?

In any case we should probably check early on if get_replay_state()
actually returned anything and fail if it did not so that the IPsec SAs
could be rekeyed (we already use this fallback on other platforms, e.g.
FreeBSD, where updating SAs is not possible at all).

Regards,
Tobias



More information about the Users mailing list