[strongSwan] Random IPSEC IKE1 Dropping

Noel Kuntze noel at familie-kuntze.de
Mon Jul 21 20:31:55 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Bradley,

Sorry, the log snippet doesn't provide enough information to make a judgement. I advise to increase log levels for DEFAULT to 3, ENC, JOB and ASN to 1.
That will produce a log, that has more usable information.

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 21.07.2014 20:13, schrieb Turnbough, Bradley E.:
> Thanks Noel.
>
> Can you tell me why it negotiates correctly the first time (and works properly, I might add), but refuses to renegotiate after a delete event?
>
> It appears that maybe the SA is timing out due to inactivity, and is subsequently deleted.  Once new traffic is detected, it goes through its paces to reestablish.  Is this a correct observation?
>
> Thanks,
>
> Brad
> ________________________________
> From: Turnbough, Bradley E.
> Sent: Monday, July 21, 2014 12:47 PM
> To: users at lists.strongswan.org
> Subject: Random IPSEC IKE1 Dropping
>
> Update:
>
> I was able to catch the failure happen.  This is a grepped charon.log.  The failure was detected by my NMS between 13:26 and 13:27.  Why am I continually experiencing issues with my IKEv1 tunnels?  Does anyone have any insight into this?
>
> Jul 21 13:25:16 02[IKE] <customer-sa-01|100> queueing QUICK_DELETE task
> Jul 21 13:25:16 02[IKE] <customer-sa-01|100> activating new tasks
> Jul 21 13:25:16 02[IKE] <customer-sa-01|100>   activating QUICK_DELETE task
> Jul 21 13:25:16 02[IKE] <customer-sa-01|100> closing expired CHILD_SA customer-sa-07{18} with SPIs ca4c0040_i 8ef96c82_o and TS a.b.c.0/24 === d.e.0.0/16
> Jul 21 13:25:16 02[IKE] <customer-sa-01|100> sending DELETE for ESP CHILD_SA with SPI ca4c0040
> Jul 21 13:25:16 02[ENC] <customer-sa-01|100> generating INFORMATIONAL_V1 request 1724216626 [ HASH D ]
> Jul 21 13:25:16 02[NET] <customer-sa-01|100> sending packet: from f.g.h.i[4500] to j.k.l.m[4500] (76 bytes)
> Jul 21 13:25:16 02[IKE] <customer-sa-01|100> activating new tasks
> Jul 21 13:25:16 02[IKE] <customer-sa-01|100> nothing to initiate
> Jul 21 13:25:16 08[NET] sending packet: from f.g.h.i[4500] to j.k.l.m[4500]
> Jul 21 13:25:16 14[IKE] <customer-sa-01|100> queueing QUICK_DELETE task
> Jul 21 13:25:16 14[IKE] <customer-sa-01|100> activating new tasks
> Jul 21 13:25:16 14[IKE] <customer-sa-01|100>   activating QUICK_DELETE task
> Jul 21 13:25:16 14[IKE] <customer-sa-01|100> activating new tasks
> Jul 21 13:25:16 14[IKE] <customer-sa-01|100> nothing to initiate
> Jul 21 13:29:07 13[IKE] <customer-sa-01|100> sending keep alive to j.k.l.m[4500]
> Jul 21 13:29:07 08[NET] sending packet: from f.g.h.i[4500] to j.k.l.m[4500]
> Jul 21 13:29:23 07[NET] received packet: from j.k.l.m[500] to f.g.h.i[500]
> Jul 21 13:29:23 01[NET] <109> received packet: from j.k.l.m[500] to f.g.h.i[500] (264 bytes)
> Jul 21 13:29:23 01[IKE] <109> j.k.l.m is initiating a Main Mode IKE_SA
> Jul 21 13:29:23 01[NET] <109> sending packet: from f.g.h.i[500] to j.k.l.m[500] (140 bytes)
> Jul 21 13:29:23 08[NET] sending packet: from f.g.h.i[500] to j.k.l.m[500]
> Jul 21 13:29:23 07[NET] received packet: from j.k.l.m[500] to f.g.h.i[500]
> Jul 21 13:29:23 15[NET] <109> received packet: from j.k.l.m[500] to f.g.h.i[500] (100 bytes)
> Jul 21 13:29:24 07[NET] received packet: from j.k.l.m[500] to f.g.h.i[500]
> Jul 21 13:29:24 14[NET] <110> received packet: from j.k.l.m[500] to f.g.h.i[500] (264 bytes)
> Jul 21 13:29:24 14[IKE] <110> j.k.l.m is initiating a Main Mode IKE_SA
> Jul 21 13:29:24 14[NET] <110> sending packet: from f.g.h.i[500] to j.k.l.m[500] (140 bytes)
> Jul 21 13:29:24 08[NET] sending packet: from f.g.h.i[500] to j.k.l.m[500]
> Jul 21 13:29:24 07[NET] received packet: from j.k.l.m[500] to f.g.h.i[500]
> Jul 21 13:29:24 02[NET] <110> received packet: from j.k.l.m[500] to f.g.h.i[500] (100 bytes)
> Jul 21 13:29:25 07[NET] received packet: from j.k.l.m[500] to f.g.h.i[500]
> Jul 21 13:29:25 13[NET] <111> received packet: from j.k.l.m[500] to f.g.h.i[500] (264 bytes)
> Jul 21 13:29:25 13[IKE] <111> j.k.l.m is initiating a Main Mode IKE_SA
>
>
>
>
> -------------------Original post:------------------
>
>
> Hello All,
>
> I'm currently running this config on an active strongswan box.  I am running CentOS 6.5 (fully patched) along side of strongswan version "Linux strongSwan U5.0.4/K2.6.32-431.3.1.el6.x86_6"
>
> We upgraded a while back from a version that still used pluto to this new version (which uses charon)  We've started to experience random conn drops (primarilly on sa-01 and sa-05.  The only way to resolve this that I've found is to perform a 'service strongswan restart' This is not the only conn which experiences this, so I'm thinking this may be a configuration issue or a bug.  The problem is, is I don't necessarily know much about ipsec.  I'm hoping someone can help me out.  Can anyone?  Please?
>
> conn customer-sa-01
>   auto=start
>   rightsubnet=A.0.0.0/8
>   also=customer-default
>
> conn customer-sa-02
>   auto=start
>   rightsubnet=B.C.0.0/16
>   also=customer-default
>
> conn customer-sa-03
>   auto=start
>   rightsubnet=D.E.0.0/16
>   also=customer-default
>
> conn customer-sa-04
>   auto=start
>   rightsubnet=F.G.0.0/15
>   also=customer-default
>
> conn customer-sa-05
>   auto=start
>   rightsubnet=H.I.0.0/15
>   also=customer-default
>
> conn customer-sa-06
>   auto=start
>   rightsubnet=J.K.0.0/16
>   also=customer-default
>
> conn customer-sa-07
>   auto=start
>   rightsubnet=L.M.0.0/16
>   also=customer-default
>
> conn customer-sa-08
>   auto=start
>   rightsubnet=N.O.P.Q/32
>   also=customer-default
>
> conn customer-default
>   keyingtries=%forever
>   authby=secret
>   left=R.S.T.U
>   leftsubnet=V.W.X.0/24
>   right=Y.Z.AA.BB
>   rightallowany=yes
>   keyexchange=ikev1
>   ikelifetime=480m
>   keylife=3600s
>   mobike=no
>   ike=aes256-sha1-modp1024
>   esp=3des-md5
>
> _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTzVybAAoJEDg5KY9j7GZYl8MP/i7n4wYER0aIVlOECPUmq0Vr
nSmDMuvVXIvmcxrBSGH6IQ/BaU3JbKW2BbQZ8IcLuwLqGJkyz8fkbdreBMTpC3Xh
c2cKQtNuLSMvzdCBCX8mQ5PaIxTQ7bmHjcFk6n9YQPTPVQRe/AHTsBdgW3UlLQNN
j5nNhzqdF3viHXJmprfjDsu8MB1TsIOnloFH60Dee8K1n3BLncppeu0nFwwoGJNm
H/5HCuFPiRUBrJ8qko+08z72iC1khEgt1/qML6VM/4ZHZA4hCuZ8oPkk9ePXnq+8
H9pI68xnr9YlX4FPNeGwPfaN4MXlxxTIsAZ/+KJYMmOjOnxk8iMyP6Cj+fsQMMtk
lFmqmf9qX+LH4HLKHZBcdoz8+RXnonH+kDM4RKGN77DX26JcGsaeQGXyamF+Jeyv
f0wIZmGoTotGXk4UMIMZOSrQXsK6LAaMZssiYgP7qhFKEoEpiEGXrf3CihWCCRdX
OYyWXbgw1fO/KfJds55+iESCBo8Mlbu12XVFnYf6O/vaFkI63XjNoFlSPSOKUXv3
t5kt6cZdktYOdmMK/Pq5bzrDtTOCexjcfnXK3HKDzklVWgbhzEy9dfQPt03wKGMX
GAwRSDZ29dz/gcXOp2QCFLPl6He2Y+/jTET9bEel5Kl4Ca/84UMhHG9/gSnhkw5H
R8NHaibz5Cc0s6MnUtuU
=UZe9
-----END PGP SIGNATURE-----

More information about the Users mailing list