[strongSwan] unable to install policy

Raoul Duke rduke496 at gmail.com
Sat Nov 15 02:14:12 CET 2014 

Hi,

I have a problem with IOS (ikev1) clients becoming
blocked/unresponsive (users have use the word "hosed").

This seems to coincide with a log message "unable to install policy"
(see snippet of logging at the end of this message).  I believe the
attached log snippet was subsequent to a disconnect and the client is
reconnecting at the point of the log message.

When I look at "ipsec status" for people in the offending state they
seem to be in the "ESTABLISHED" state but without the "INSTALLED,
TUNNEL".

I currently see this on version 5.2.1 but I believe I have seen it
previously on version 5.1.1.  In fact I believe this may have been a
thorn in my side for some time but I had been unable to characterize
it very well as it is not happening that often (maybe once a day a
user will complain about this).

Some Googling led me to this ticket:

https://wiki.strongswan.org/issues/431

Is this the same issue?  Or something else?  This seems related to
rekeying which I'm not sure is the same as my issue is.

Here is my ipsec.conf config:

config setup
        uniqueids = yes
        charondebug = 1

conn ios
        keyexchange=ikev1
        authby=rsasig
        rightauth2=xauth-noauth
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftcert=serverCert.pem
        right=%any
        rightsourceip=10.0.0.0/16
        auto=add
        rekey=no

I don't believe I had this problem with version 5.0.2

Anyway, here is my questions:

1] what can I do to avoid / mitigate / work-around the problem.  I'm
happy to try any suggestions, however crude/creative.   In my case:
users complaining about blocked traffic is significantly worse than
almost any other situation and a real deal breaker for their
confidence in the system.

Are there configuration I can use to mitigate this issue?  I read
about the dead peer detection stuff but I am unclear how best to use
it and I'd rather not use config unless I understand the consequences
of it.  Would that help here?  If so please advise on some appropriate
options and how they would help.

2] I tracked down the "unable to install policy" log message as being
introduced by the following change:

https://wiki.strongswan.org/projects/strongswan/repository/revisions/1551d8b13d14028fc26fb1a363c33aa3a1200882

I have established that this change is not present in version 5.0.4.
Would I have less troubles with that version (if I installed the
latest security patches) than 5.1.x or later?  My definition of less
problems is the user not noticing any blocking of traffic.  Or would I
be opening myself up to other bugs that way?  i.e. does the 5.0.4
release have any other show-stoppers that would come back to bite me
in other ways?

Note: I am not calling into question the merits of the code change.
I'm sure it is entirely a force for good.   However, can I ask: what
are the consequences of the old behaviour (before this change) in my
case?

3] trying to think outside the box I bit: I was wondering if settings
"uniqueids=no" would help the situation in that it could work around
the need for the discussed code path.  Would that help?  Would you
recommend it?  It may well be a dumb idea.  Just thinking out loud.

All input appreciated.

Thanks.

Nov 13 07:16:06 debian charon: 15[ENC] parsed QUICK_MODE request
650389571 [ HASH SA No ID ID ]
Nov 13 07:16:06 debian charon: 15[IKE] received 3600s lifetime, configured 0s
Nov 13 07:16:06 debian charon: 15[ENC] generating QUICK_MODE response
650389571 [ HASH SA No ID ID ]
Nov 13 07:16:06 debian charon: 15[NET] sending packet: from
X.X.X.X[4500] to Y.Y.Y.Y[4500] (172 bytes)
Nov 13 07:16:06 debian charon: 09[NET] received packet: from
Y.Y.Y.Y[4500] to X.X.X.X[4500] (60 bytes)
Nov 13 07:16:06 debian charon: 09[ENC] parsed QUICK_MODE request
650389571 [ HASH ]
Nov 13 07:16:06 debian charon: 09[CFG] unable to install policy
0.0.0.0/0 === 10.0.0.5/32 out (mark 0/0x00000000) for reqid 179, the
same policy for reqid 171 exists
Nov 13 07:16:06 debian charon: 09[CFG] unable to install policy
10.0.0.5/32 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 179, the
same policy for reqid 171 exists
Nov 13 07:16:06 debian charon: 09[CFG] unable to install policy
10.0.0.5/32 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 179, the
same policy for reqid 171 exists
Nov 13 07:16:06 debian charon: 09[CFG] unable to install policy
0.0.0.0/0 === 10.0.0.5/32 out (mark 0/0x00000000) for reqid 179, the
same policy for reqid 171 exists
Nov 13 07:16:06 debian charon: 09[CFG] unable to install policy
10.0.0.5/32 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 179, the
same policy for reqid 171 exists
Nov 13 07:16:06 debian charon: 09[CFG] unable to install policy
10.0.0.5/32 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 179, the
same policy for reqid 171 exists
Nov 13 07:16:06 debian charon: 09[IKE] unable to install IPsec
policies (SPD) in kernel

More information about the Users mailing list