[strongSwan] Issue Upon Rekey Collision.

Tom Rymes trymes at rymes.com
Tue Dec 15 01:36:01 CET 2015 

I encountered an issue today with a rekey collision. When it happened, 
the tunnel appeared to be up, but traffic could not traverse the tunnel. 
After digging around, I found this discussion, which seems to be the 
same issue, and the original poster also seems to be using IPFire, as I 
am: 
https://lists.strongswan.org/pipermail/users/2015-January/007365.html . 
I also found a thread on the IPFire forum with a similar problem that 
has lots of details (though sadly no replies) here: 
http://forum.ipfire.org/viewtopic.php?f=27&t=12628

This is a snippet from my logs of when the collision occurred, followed 
by a snippet when I issued "ipsec down TunnelName", where I see errors 
about IPTables rules not existing. My question is whether this is an 
issue with StrongSwan (I'm guessing no), or with IPFire and the contents 
of the updown script that they have supplied (I'm guessing that's it). I 
just want to make sure that I am barking up the right tree while looking 
for a solution, so please let me know.

Log snippet of collision:
|Dec 14 13:17:28 ipfire charon: 11[KNL] creating rekey job for CHILD_SA 
ESP/0xc68f239f/xxx.xxx.xxx.xxx
Dec 14 13:17:28 ipfire charon: 11[IKE] establishing CHILD_SA HudsonNew{38}
Dec 14 13:17:28 ipfire charon: 11[IKE] establishing CHILD_SA HudsonNew{38}
Dec 14 13:17:28 ipfire charon: 11[ENC] generating CREATE_CHILD_SA 
request 14 [ N(REKEY_SA) N(IPCOMP_SUP) SA No KE TSi TSr ]
Dec 14 13:17:28 ipfire charon: 11[NET] sending packet: from 
xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (344 bytes)
Dec 14 13:17:28 ipfire charon: 05[NET] received packet: from 
yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (444 bytes)
Dec 14 13:17:28 ipfire charon: 05[ENC] parsed CREATE_CHILD_SA request 10 
[ N(REKEY_SA) N(IPCOMP_SUP) SA No KE TSi TSr ]
Dec 14 13:17:28 ipfire charon: 05[IKE] CHILD_SA HudsonNew{10483} 
established with SPIs cc94730d_i c654401c_o and TS 10.100.0.0/23 === 
192.168.0.0/24
Dec 14 13:17:28 ipfire charon: 05[IKE] CHILD_SA HudsonNew{10483} 
established with SPIs cc94730d_i c654401c_o and TS 10.100.0.0/23 === 
192.168.0.0/24
Dec 14 13:17:28 ipfire charon: 05[IKE] detected CHILD_REKEY collision 
with CHILD_REKEY
Dec 14 13:17:28 ipfire charon: 05[ENC] generating CREATE_CHILD_SA 
response 10 [ N(IPCOMP_SUP) SA No KE TSi TSr ]
Dec 14 13:17:28 ipfire charon: 05[NET] sending packet: from 
xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (332 bytes)
Dec 14 13:17:28 ipfire charon: 12[NET] received packet: from 
yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (332 bytes)
Dec 14 13:17:28 ipfire charon: 12[ENC] parsed CREATE_CHILD_SA response 
14 [ N(IPCOMP_SUP) SA No KE TSi TSr ]
Dec 14 13:17:28 ipfire charon: 12[IKE] CHILD_SA HudsonNew{10482} 
established with SPIs cc4f7fb7_i ccc34f5a_o and TS 10.100.0.0/23 === 
192.168.0.0/24
Dec 14 13:17:28 ipfire charon: 12[IKE] CHILD_SA HudsonNew{10482} 
established with SPIs cc4f7fb7_i ccc34f5a_o and TS 10.100.0.0/23 === 
192.168.0.0/24
Dec 14 13:17:28 ipfire charon: 12[IKE] CHILD_SA rekey collision lost, 
deleting rekeyed child
Dec 14 13:17:29 ipfire charon: 12[IKE] closing CHILD_SA HudsonNew{10482} 
with SPIs cc4f7fb7_i (120 bytes) ccc34f5a_o (145 bytes) and TS 
10.100.0.0/23 === 192.168.0.0/24
Dec 14 13:17:29 ipfire charon: 12[IKE] closing CHILD_SA HudsonNew{10482} 
with SPIs cc4f7fb7_i (120 bytes) ccc34f5a_o (145 bytes) and TS 
10.100.0.0/23 === 192.168.0.0/24
Dec 14 13:17:29 ipfire charon: 12[IKE] sending DELETE for ESP CHILD_SA 
with SPI cc4f7fb7
Dec 14 13:17:29 ipfire charon: 12[ENC] generating INFORMATIONAL request 
15 [ D ]
Dec 14 13:17:29 ipfire charon: 12[NET] sending packet: from 
xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (69 bytes)
Dec 14 13:17:29 ipfire charon: 06[NET] received packet: from 
yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (69 bytes)
Dec 14 13:17:29 ipfire charon: 06[ENC] parsed INFORMATIONAL request 11 [ D ]
Dec 14 13:17:29 ipfire charon: 06[IKE] received DELETE for ESP CHILD_SA 
with SPI c46ba5ea
Dec 14 13:17:29 ipfire charon: 06[IKE] closing CHILD_SA HudsonNew{10381} 
with SPIs c68f239f_i (83067013 bytes) c46ba5ea_o (68814191 bytes) and TS 
10.100.0.0/23 === 192.168.0.0/24
Dec 14 13:17:29 ipfire charon: 06[IKE] closing CHILD_SA HudsonNew{10381} 
with SPIs c68f239f_i (83067013 bytes) c46ba5ea_o (68814191 bytes) and TS 
10.100.0.0/23 === 192.168.0.0/24
Dec 14 13:17:29 ipfire charon: 06[IKE] sending DELETE for ESP CHILD_SA 
with SPI c68f239f
Dec 14 13:17:29 ipfire charon: 06[IKE] CHILD_SA closed
Dec 14 13:17:29 ipfire charon: 06[IKE] detected CHILD_REKEY collision 
with CHILD_DELETE
Dec 14 13:17:29 ipfire charon: 06[ENC] generating INFORMATIONAL response 
11 [ D ]
Dec 14 13:17:29 ipfire charon: 06[NET] sending packet: from 
xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (69 bytes)
Dec 14 13:17:29 ipfire charon: 15[NET] received packet: from 
yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (69 bytes)
Dec 14 13:17:29 ipfire charon: 15[ENC] parsed INFORMATIONAL response 15 
[ D ]
Dec 14 13:17:29 ipfire charon: 15[IKE] received DELETE for ESP CHILD_SA 
with SPI ccc34f5a
Dec 14 13:17:29 ipfire charon: 15[IKE] CHILD_SA closed
Dec 14 13:17:29 ipfire vpn: client- C=US, ST=TX, O=MyOrg, OU=Engineering 
Dept, CN=remoteoffice.mycompany.com 192.168.0.0/24 == yyy.yyy.yyy.yyy -- 
xxx.xxx.xxx.xxx == 10.100.0.0/23
Dec 14 13:17:29 ipfire vpn: tunnel- yyy.yyy.yyy.yyy -- xxx.xxx.xxx.xxx
Dec 14 13:17:29 ipfire vpn: snat- red0-xxx.xxx.xxx.xxx : 192.168.0.0/24 
- 10.100.0.1

After issuing "ipsec down TunnelName"
|
|Dec 14 13:27:23 ipfire charon: 11[CFG] received stroke: terminate 
'HudsonNew'
Dec 14 13:27:23 ipfire charon: 03[IKE] deleting IKE_SA HudsonNew[365] 
between xxx.xxx.xxx.xxx[C=US, ST=TX, O=MyOrg, OU=Engineering Dept, 
CN=headquarters.mycompany.com]...yyy.yyy.yyy.yyy[C=US, ST=TX, O=MyOrg, 
OU=Engineering Dept, CN=remoteoffice.mycompany.com]
Dec 14 13:27:23 ipfire charon: 03[IKE] deleting IKE_SA HudsonNew[365] 
between xxx.xxx.xxx.xxx[C=US, ST=TX, O=MyOrg, OU=Engineering Dept, 
CN=headquarters.mycompany.com]...yyy.yyy.yyy.yyy[C=US, ST=TX, O=MyOrg, 
OU=Engineering Dept, CN=remoteoffice.mycompany.com]
Dec 14 13:27:23 ipfire charon: 03[IKE] sending DELETE for IKE_SA 
HudsonNew[365]
Dec 14 13:27:23 ipfire charon: 03[ENC] generating INFORMATIONAL request 
17 [ D ]
Dec 14 13:27:23 ipfire charon: 03[NET] sending packet: from 
xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (65 bytes)
Dec 14 13:27:23 ipfire charon: 10[NET] received packet: from 
yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (57 bytes)
Dec 14 13:27:23 ipfire charon: 10[ENC] parsed INFORMATIONAL response 17 [ ]
Dec 14 13:27:23 ipfire charon: 10[IKE] IKE_SA deleted
Dec 14 13:27:23 ipfire charon: 10[IKE] IKE_SA deleted
Dec 14 13:27:23 ipfire charon: 10[CHD] updown: iptables: No 
chain/target/match by that name.
Dec 14 13:27:23 ipfire charon: 10[CHD] updown: iptables: Bad rule (does 
a matching rule exist in that chain?).
Dec 14 13:27:23 ipfire charon: 10[CHD] updown: iptables: Bad rule (does 
a matching rule exist in that chain?).
Dec 14 13:27:23 ipfire charon: 10[CHD] updown: iptables: No 
chain/target/match by that name.
Dec 14 13:27:23 ipfire charon: 10[CHD] updown: iptables: Bad rule (does 
a matching rule exist in that chain?).
Dec 14 13:27:23 ipfire vpn: client- C=US, ST=TX, O=MyOrg, OU=Engineering 
Dept, CN=remoteoffice.mycompany.com 192.168.0.0/24 == yyy.yyy.yyy.yyy -- 
xxx.xxx.xxx.xxx == 10.100.0.0/23
Dec 14 13:27:23 ipfire charon: 10[CHD] updown: iptables: Bad rule (does 
a matching rule exist in that chain?).
Dec 14 13:27:23 ipfire last message repeated 2 times
Dec 14 13:27:23 ipfire vpn: tunnel- yyy.yyy.yyy.yyy -- xxx.xxx.xxx.xxx
Dec 14 13:27:23 ipfire charon: 10[CHD] updown: iptables: No 
chain/target/match by that name.
Dec 14 13:27:23 ipfire vpn: snat- unknown-xxx.xxx.xxx.xxx : 
192.168.0.0/24 - 10.100.0.1|
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151214/0554b7a7/attachment-0001.html>

More information about the Users mailing list