[strongSwan] IKE_SA reauth failed with dual link.

Alexis Salinas asalinas at sierrawireless.com
Tue Jul 15 01:41:40 CEST 2014 

Hello all, 

I have 2 gateways running "Linux strongSwan U4.3.5/K2.6.32-526" configured for IKEv2, net-to-net with MOBIKE enabled.

Gateway-A, the initiator, has 2 links. Gateway-B the responder, has only one link. These are the IP addresses.
gateway-A_link1 = 172.19.78.72
gateway-A_link2 = 10.5.102.102
gateway-B_link1 = 192.168.10.10

Gateway-A uses both links, alternatively, as "default link" (depending of its location). MOBIKE works beautifully when switching links. Gateway-A can only reach gateway-B using the default route.

The problem I'm observing is that if IKE_SA is established on one of gateway-A's link and the link switches  before IKE_REAUTH starts, StrongSwan tries (and fails) to initiate the new IKE_SA using the IP address of the initial link. 

It doesn't matter which link starts, it happens regarding of the direction of the link switch. 

I also tested another machine in place of gateway-A, running Linux strongSwan U5.1.2/K3.4.11-527, with the same result.

Here is an example. The tunnel initially established while gateway-A_link2 was the default route. Default route changed at around 16:00, making gateway-A_link1 the default route.

Jul  7 16:22:34 gateway-A charon: 09[IKE] queueing IKE_REAUTH task
Jul  7 16:22:34 gateway-A charon: 09[IKE] activating new tasks
Jul  7 16:22:34 gateway-A charon: 09[IKE]   activating IKE_REAUTH task
Jul  7 16:22:34 gateway-A charon: 09[IKE] deleting IKE_SA Net-Net[1] between 172.19.78.72[gateway-A]...192.168.10.10[gateway-B]
Jul  7 16:22:34 gateway-A charon: 09[IKE] IKE_SA Net-Net[1] state change: ESTABLISHED => DELETING
Jul  7 16:22:34 gateway-A charon: 09[IKE] sending DELETE for IKE_SA Net-Net[1]
Jul  7 16:22:34 gateway-A charon: 09[NET] sending packet: from 172.19.78.72[4500] to 192.168.10.10[4500]
Jul  7 16:22:34 gateway-A charon: 05[NET] sending packet: from 172.19.78.72[4500] to 192.168.10.10[4500]
Jul  7 16:22:34 gateway-A charon: 06[NET] received packet: from 192.168.10.10[4500] to 172.19.78.72[4500]
Jul  7 16:22:34 gateway-A charon: 06[NET] waiting for data on raw sockets
Jul  7 16:22:34 gateway-A charon: 08[NET] received packet: from 192.168.10.10[4500] to 172.19.78.72[4500]
Jul  7 16:22:34 gateway-A charon: 08[IKE] IKE_SA deleted
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing IKE_INIT task
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing IKE_NATD task
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing IKE_CERT_PRE task
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing IKE_AUTHENTICATE task
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing IKE_CERT_POST task
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing IKE_CONFIG task
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing IKE_AUTH_LIFETIME task
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing IKE_MOBIKE task
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing CHILD_CREATE task
Jul  7 16:22:34 gateway-A charon: 08[IKE] activating new tasks
Jul  7 16:22:34 gateway-A charon: 08[IKE]   activating IKE_INIT task
Jul  7 16:22:34 gateway-A charon: 08[IKE]   activating IKE_NATD task
Jul  7 16:22:34 gateway-A charon: 08[IKE]   activating IKE_CERT_PRE task
Jul  7 16:22:34 gateway-A charon: 08[IKE]   activating IKE_AUTHENTICATE task
Jul  7 16:22:35 gateway-A charon: 08[IKE]   activating IKE_CERT_POST task
Jul  7 16:22:35 gateway-A charon: 08[IKE]   activating IKE_CONFIG task
Jul  7 16:22:35 gateway-A charon: 08[IKE]   activating CHILD_CREATE task
Jul  7 16:22:35 gateway-A charon: 08[IKE]   activating IKE_AUTH_LIFETIME task
Jul  7 16:22:35 gateway-A charon: 08[IKE]   activating IKE_MOBIKE task
Jul  7 16:22:35 gateway-A charon: 08[IKE] initiating IKE_SA Net-Net[2] to 192.168.10.10
Jul  7 16:22:35 gateway-A charon: 08[IKE] IKE_SA Net-Net[2] state change: CREATED => CONNECTING
Jul  7 16:22:35 gateway-A charon: 08[NET] sending packet: from 10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:22:35 gateway-A charon: 05[NET] sending packet: from 10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:22:35 gateway-A charon: 05[NET] error writing to socket: Operation not permitted
Jul  7 16:22:35 gateway-A charon: 08[IKE] queueing CHILD_CREATE task
Jul  7 16:22:35 gateway-A charon: 08[IKE] delaying task initiation, exchange in progress
Jul  7 16:22:35 gateway-A charon: 08[IKE] IKE_SA Net-Net[1] state change: DELETING => DESTROYING
Jul  7 16:22:39 gateway-A charon: 08[IKE] retransmit 1 of request with message ID 0
Jul  7 16:22:39 gateway-A charon: 08[NET] sending packet: from 10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:22:39 gateway-A charon: 05[NET] sending packet: from 10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:22:39 gateway-A charon: 05[NET] error writing to socket: Operation not permitted
Jul  7 16:22:46 gateway-A charon: 09[IKE] retransmit 2 of request with message ID 0
Jul  7 16:22:46 gateway-A charon: 09[NET] sending packet: from 10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:22:46 gateway-A charon: 05[NET] sending packet: from 10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:22:46 gateway-A charon: 05[NET] error writing to socket: Operation not permitted
Jul  7 16:22:59 gateway-A charon: 09[IKE] retransmit 3 of request with message ID 0
Jul  7 16:22:59 gateway-A charon: 09[NET] sending packet: from 10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:22:59 gateway-A charon: 05[NET] sending packet: from 10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:22:59 gateway-A charon: 05[NET] error writing to socket: Operation not permitted
Jul  7 16:23:22 gateway-A charon: 09[IKE] retransmit 4 of request with message ID 0
Jul  7 16:23:22 gateway-A charon: 09[NET] sending packet: from 10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:23:22 gateway-A charon: 05[NET] sending packet: from 10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:23:22 gateway-A charon: 05[NET] error writing to socket: Operation not permitted
Jul  7 16:24:04 gateway-A charon: 08[IKE] retransmit 5 of request with message ID 0
Jul  7 16:24:04 gateway-A charon: 08[NET] sending packet: from 10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:24:04 gateway-A charon: 05[NET] sending packet: from 10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:24:04 gateway-A charon: 05[NET] error writing to socket: Operation not permitted
Jul  7 16:24:42 gateway-A charon: 01[IKE] destroying IKE_SA in state CONNECTING without notification
Jul  7 16:24:42 gateway-A charon: 01[IKE] IKE_SA Net-Net[2] state change: CONNECTING => DESTROYING
Jul  7 16:24:44 gateway-A charon: 06[NET] waiting for data on raw sockets

Is this a known problem? Is there a setting I can use to correct this behaviour, r work around it? How does charon figure out which of the 2 links it uses to start the new IKE_SA?

Thank in advanced for you help.
Alexis.

More information about the Users mailing list