[strongSwan] reauthentication fail with unable to add policy
Sial Nije
sialnije at gmail.com
Fri Mar 14 20:32:45 CET 2014
Hi all,
I am running StrongSwan 4.4.1.
I will ask the questions first, then list the log after.
1. What could cause "unable to add policy" at reauthentication time? Kernal
already has those policies installed? resource exhausted? What else?
2. In our lab or when things are working fine, I see logs like below during
reauthentication:
- deleting duplicate IKE_SA for peer blah blah due to uniqueness policy
- queueing and activating IKE_DELETE task
- policy 0.0.0.0/0 === 10.10.10.0/24 out already exists, increasing refcount
What could cause the responder to not realized that this is
re-authentication of an existing peer?
We have a customer with a few hundred units connecting to an IPSec server.
Things were okay for a few months. Then re-authentication failed on all the
units.
Typical log:
--------------------------------------------------------------------------------------------------------
charon: 04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
charon: 04[IKE] 2.2.2.2 is initiating an IKE_SA
charon: 04[IKE] 2.2.2.2 is initiating an IKE_SA
charon: 04[IKE] local host is behind NAT, sending keep alives
charon: 04[IKE] remote host is behind NAT
charon: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
charon: 04[NET] sending packet: from 10.128.3.70[500] to 2.2.2.2[6457]
charon: 13[NET] received packet: from 3.3.3.3[2618] to 10.128.3.70[500]
charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
charon: 02[NET] received packet: from 2.2.2.2[6457] to 10.128.3.70[4500]
charon: 02[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) ]
charon: 02[CFG] looking for peer configs matching
10.128.3.70[1.1.1.1]...2.2.2.2[SOMESERIALNUM]
charon: 13[IKE] 3.3.3.3 is initiating an IKE_SA
charon: 13[IKE] 3.3.3.3 is initiating an IKE_SA
charon: 02[CFG] selected peer config 'peer-SOMESERIALNUM-tunnel-1'
charon: 02[IKE] authentication of 'SOMESERIALNUM' with pre-shared key
successful
charon: 02[IKE] peer supports MOBIKE
charon: 02[IKE] authentication of '1.1.1.1' (myself) with pre-shared key
charon: 02[IKE] IKE_SA peer-SOMESERIALNUM-tunnel-1[16] established between
10.128.3.70[1.1.1.1]...2.2.2.2[SOMESERIALNUM]
charon: 02[IKE] IKE_SA peer-SOMESERIALNUM-tunnel-1[16] established between
10.128.3.70[1.1.1.1]...2.2.2.2[SOMESERIALNUM]
charon: 02[KNL] unable to add policy 0.0.0.0/0 === 10.121.10.80/28 out
charon: 02[KNL] unable to add policy 10.121.10.80/28 === 0.0.0.0/0 in
charon: 02[KNL] unable to add policy 10.121.10.80/28 === 0.0.0.0/0 fwd
charon: 02[IKE] unable to install IPsec policies (SPD) in kernel
charon: 02[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP)
N(ADD_4_ADDR) N(TS_UNACCEPT) ]
- Then a few DPDs sent from the IPsec server to the unit.
- Then the unit try IKE INIT again and is successful.
- The connection would stay up for the duration of ikelifetime.
- Then the cycle repeats.
--------------------------------------------------------------------------------------------------------
After rebooted the server, the same condition persisted for a few hours
before getting back to
normal?! May be the remote sites were still in re-authentication mode and
the IKE_SA_INIT msg look different from the IKE_INIT for a brand new
connection?!
After things settle down there are only a few "unable to add policy" in the
server log once every few hours.
Regards,
sialnije
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140314/aa230433/attachment.html>
More information about the Users
mailing list