[strongSwan] reauthentication fail with unable to add policy

Sial Nije sialnije at gmail.com
Thu Mar 13 22:54:30 CET 2014


Hi all,

I am running StrongSwan 4.4.1.
I will ask the questions first, then list the log after.

1. What could cause "unable to add policy" at reauthentication time? Kernal
already has those policies installed? resource exhausted? What else?
2. In our lab or when things are working fine, I see logs like below during
reauthentication:
- deleting duplicate IKE_SA for peer blah blah due to uniqueness policy
- queueing and activating IKE_DELETE task
- policy 0.0.0.0/0 === 10.10.10.0/24 out already exists, increasing refcount
What could cause the responder to not realized that this is
re-authentication of an existing peer?


We have a customer with a few hundred units connecting to an IPSec server.
Things were okay for a few months. Then re-authentication failed on all the
units.
Typical log:
--------------------------------------------------------------------------------------------------------
charon: 04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
charon: 04[IKE] 2.2.2.2 is initiating an IKE_SA
charon: 04[IKE] 2.2.2.2 is initiating an IKE_SA
charon: 04[IKE] local host is behind NAT, sending keep alives
charon: 04[IKE] remote host is behind NAT
charon: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
charon: 04[NET] sending packet: from 10.128.3.70[500] to 2.2.2.2[6457]
charon: 13[NET] received packet: from 70.208.23.77[2618] to 10.128.3.70[500]
charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
charon: 02[NET] received packet: from 2.2.2.2[6457] to 10.128.3.70[4500]
charon: 02[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) ]
charon: 02[CFG] looking for peer configs matching
10.128.3.70[1.1.1.1]...2.2.2.2[SOMESERIALNUM]
charon: 13[IKE] 70.208.23.77 is initiating an IKE_SA
charon: 13[IKE] 70.208.23.77 is initiating an IKE_SA
charon: 02[CFG] selected peer config 'peer-SOMESERIALNUM-tunnel-1'
charon: 02[IKE] authentication of 'SOMESERIALNUM' with pre-shared key
successful
charon: 02[IKE] peer supports MOBIKE
charon: 02[IKE] authentication of '1.1.1.1' (myself) with pre-shared key
charon: 02[IKE] IKE_SA peer-SOMESERIALNUM-tunnel-1[16] established between
10.128.3.70[1.1.1.1]...2.2.2.2[SOMESERIALNUM]
charon: 02[IKE] IKE_SA peer-SOMESERIALNUM-tunnel-1[16] established between
10.128.3.70[1.1.1.1]...2.2.2.2[SOMESERIALNUM]
charon: 02[KNL] unable to add policy 0.0.0.0/0 === 10.121.10.80/28 out
charon: 02[KNL] unable to add policy 10.121.10.80/28 === 0.0.0.0/0 in
charon: 02[KNL] unable to add policy 10.121.10.80/28 === 0.0.0.0/0 fwd
charon: 02[IKE] unable to install IPsec policies (SPD) in kernel
charon: 02[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP)
N(ADD_4_ADDR) N(TS_UNACCEPT) ]

- Then a few DPDs sent from the IPsec server to the unit.
- Then the unit try IKE INIT again and is successful.
- The connection would stay up for the duration of ikelifetime.
- Then the cycle repeats.
--------------------------------------------------------------------------------------------------------

After rebooted the server, the same condition persisted for a few hours
before getting back to
normal?! Now there are a few "unable to add policy" in the server log once
every few hours.

Regards,
sialnije
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140313/c32b8f30/attachment.html>


More information about the Users mailing list