[strongSwan] Windows StrongSwan cannot establish CHILD_SA due to CREATE_CHILD_SA kicks in every outbound packet.

Jaehong Park jaehong.park at illumio.com
Tue Dec 15 02:43:48 CET 2015 

Since nobody answers me, I tested and here is something what I found.

So I went back to version 5.2.1, and I see the tunnel just got brought up without issue.

However from 5.3.0, Windows StrongSwan with IKEv2 tunneling is failing.

Hope I can get some help here.

On Nov 28, 2015, at 9:16 AM, Jaehong Park <jaehong.park at illumio.com<mailto:jaehong.park at illumio.com>> wrote:

Hi.

I am trying to connect StrongSwan Windows client to Cisco ASA, and facing following two issues.
(In Linux, there is no such issue.)

1. CREATE_CHILD_SA kicks in right away after Windows StrongSwan finished IKE negotiation.
2. Every single outbound packet attempt, strongswan creates schedules CREATE_CHILD_SA instead of sending ESP packet after CHILD_SA established one time.

Because of these issues, I cannot send any of outbound ESP packet.

Here is the snapshot of swanctl -l

4.0.0.66-151-147-21.0: #2, ESTABLISHED, IKEv2, 06713a37598878a6:342ccff4d5739063
  local  ‘client1.test.io<http://client1.test.io>' @ 172.16.115.240
  remote 'C=US, O=Hxxx, CN=SGW' @ 66.151.147.21
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 49s ago, rekeying in 14310s, reauth in 82284s
  active:  CHILD_CREATE
  child_1: #6, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96
    installed 48s ago, rekeying in 3264s, expires in 3916s
    in  ce117294,      0 bytes,     0 packets
    out be8f068b,      0 bytes,     0 packets
    local  172.16.115.240/32
    remote 192.168.10.0/24

And key value of configuration of some parameter. (the rest are set to default).

Type: IKEv2
Mode : Tunnel
start_action: trap
vips: 0.0.0.0/0
remote_ts : 192.168.10.0/24
local_ts : dynamic.

And This is the capture of relevant charon log.

2015-11-28T08:42:56 12[IKE] initiating IKE_SA 4.0.0.66.151.147.21.0[2] to 66.151.147.21
2015-11-28T08:42:56 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
2015-11-28T08:42:56 12[NET] sending packet: from 172.16.115.240[500] to 66.151.147.21[500] (320 bytes)
2015-11-28T08:42:56 08[NET] received packet: from 66.151.147.21[500] to 172.16.115.240[500] (44 bytes)
2015-11-28T08:42:56 08[ENC] parsed IKE_SA_INIT response 0 [ N(COOKIE) ]
2015-11-28T08:42:56 08[IKE] initiating IKE_SA 4.0.0.66.151.147.21.0[2] to 66.151.147.21
2015-11-28T08:42:56 08[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
2015-11-28T08:42:56 08[NET] sending packet: from 172.16.115.240[500] to 66.151.147.21[500] (336 bytes)
2015-11-28T08:42:56 09[NET] received packet: from 66.151.147.21[500] to 172.16.115.240[500] (522 bytes)
2015-11-28T08:42:56 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ V ]
2015-11-28T08:42:56 09[IKE] local host is behind NAT, sending keep alives
2015-11-28T08:42:56 09[IKE] received cert request for "C=US, O=Ixx, CN=CiscoASA"
2015-11-28T08:42:56 09[IKE] received 2 cert requests for an unknown ca
2015-11-28T08:42:56 09[IKE] sending cert request for "C=US, O=Ixx, CN=CiscoASA"
2015-11-28T08:42:56 09[IKE] authentication of 'client1.test.io<http://client1.test.io>' (myself) with RSA signature successful
2015-11-28T08:42:56 09[IKE] sending end entity cert "C=US, O=Hxx, CN=CLIENT1"
2015-11-28T08:42:56 09[IKE] establishing CHILD_SA child_a25_a26
2015-11-28T08:42:56 09[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
2015-11-28T08:42:56 09[NET] sending packet: from 172.16.115.240[4500] to 66.151.147.21[4500] (988 bytes)
2015-11-28T08:42:56 13[NET] received packet: from 66.151.147.21[4500] to 172.16.115.240[4500] (940 bytes)
2015-11-28T08:42:56 13[ENC] parsed IKE_AUTH response 1 [ V IDr CERT AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
2015-11-28T08:42:56 13[IKE] received end entity cert "C=US, O=Hxx, CN=SGW"
2015-11-28T08:42:56 13[CFG]   using certificate "C=US, O=Hxx, CN=SGW"
2015-11-28T08:42:56 13[CFG]   using trusted ca certificate "C=US, O=Ixx, CN=CiscoASA"
2015-11-28T08:42:56 13[CFG]   reached self-signed root ca with a path length of 0
2015-11-28T08:42:56 13[IKE] authentication of 'C=US, O=Hxx, CN=SGW' with RSA signature successful
2015-11-28T08:42:56 13[IKE] IKE_SA 4.0.0.66.151.147.21.0[2] established between 172.16.115.240[client1.test.io<http://client1.test.io>]...66.151.147.21[C=US, O=Hxx, CN=SGW]
2015-11-28T08:42:56 13[IKE] scheduling rekeying in 14359s
2015-11-28T08:42:56 13[IKE] scheduling reauthentication in 82333s
2015-11-28T08:42:56 13[IKE] maximum IKE_SA lifetime 22999s
2015-11-28T08:42:56 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2015-11-28T08:42:56 13[KNL] setting WFP SA SPI failed: 0x80320035
2015-11-28T08:42:56 13[IKE] unable to install IPsec policies (SPD) in kernel
2015-11-28T08:42:56 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
2015-11-28T08:42:56 13[IKE] sending DELETE for ESP CHILD_SA with SPI cef5a6bf
2015-11-28T08:42:56 13[ENC] generating INFORMATIONAL request 2 [ D ]
2015-11-28T08:42:56 13[NET] sending packet: from 172.16.115.240[4500] to 66.151.147.21[4500] (76 bytes)
2015-11-28T08:42:57 16[NET] received packet: from 66.151.147.21[4500] to 172.16.115.240[4500] (76 bytes)
2015-11-28T08:42:57 16[ENC] parsed INFORMATIONAL response 2 [ D ]
2015-11-28T08:42:57 17[KNL] creating acquire job for policy 172.16.115.240/32[icmp/8] === 192.168.10.2/32[icmp/0] with reqid {1}
2015-11-28T08:42:57 14[IKE] establishing CHILD_SA child_a25_a26{1}
2015-11-28T08:42:57 14[ENC] generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ]
2015-11-28T08:42:57 14[NET] sending packet: from 172.16.115.240[4500] to 66.151.147.21[4500] (236 bytes)
2015-11-28T08:42:58 17[KNL] creating acquire job for policy 172.16.115.240/32[icmp/8] === 192.168.10.2/32[icmp/0] with reqid {1}
2015-11-28T08:42:58 06[CFG] ignoring acquire, connection attempt pending
2015-11-28T08:42:59 17[KNL] creating acquire job for policy 172.16.115.240/32[icmp/8] === 192.168.10.2/32[icmp/0] with reqid {1}
2015-11-28T08:42:59 08[CFG] ignoring acquire, connection attempt pending
2015-11-28T08:43:00 17[KNL] creating acquire job for policy 172.16.115.240/32[icmp/8] === 192.168.10.2/32[icmp/0] with reqid {1}
2015-11-28T08:43:00 12[CFG] ignoring acquire, connection attempt pending
2015-11-28T08:43:01 09[IKE] retransmit 1 of request with message ID 3
2015-11-28T08:43:01 09[NET] sending packet: from 172.16.115.240[4500] to 66.151.147.21[4500] (236 bytes)
2015-11-28T08:43:01 17[KNL] creating acquire job for policy 172.16.115.240/32[icmp/8] === 192.168.10.2/32[icmp/0] with reqid {1}
2015-11-28T08:43:01 05[CFG] ignoring acquire, connection attempt pending
2015-11-28T08:43:01 10[NET] received packet: from 66.151.147.21[4500] to 172.16.115.240[4500] (236 bytes)
2015-11-28T08:43:01 10[ENC] parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ]
2015-11-28T08:43:01 10[IKE] CHILD_SA child_a25_a26{6} established with SPIs ce117294_i be8f068b_o and TS 172.16.115.240/32 === 192.168.10.0/24
2015-11-28T08:43:02 17[KNL] creating acquire job for policy 172.16.115.240/32[icmp/8] === 192.168.10.2/32[icmp/0] with reqid {1}
2015-11-28T08:43:02 13[IKE] establishing CHILD_SA child_a25_a26{1}
2015-11-28T08:43:02 13[ENC] generating CREATE_CHILD_SA request 4 [ SA No TSi TSr ]
2015-11-28T08:43:02 13[NET] sending packet: from 172.16.115.240[4500] to 66.151.147.21[4500] (236 bytes)
2015-11-28T08:43:03 17[KNL] creating acquire job for policy 172.16.115.240/32[icmp/8] === 192.168.10.2/32[icmp/0] with reqid {1}
2015-11-28T08:43:03 14[CFG] ignoring acquire, connection attempt pending
2015-11-28T08:43:04 17[KNL] creating acquire job for policy 172.16.115.240/32[icmp/8] === 192.168.10.2/32[icmp/0] with reqid {1}
2015-11-28T08:43:04 12[CFG] ignoring acquire, connection attempt pending
2015-11-28T08:43:06 10[IKE] retransmit 1 of request with message ID 4
2015-11-28T08:43:06 10[NET] sending packet: from 172.16.115.240[4500] to 66.151.147.21[4500] (236 bytes)
2015-11-28T08:43:13 13[IKE] retransmit 2 of request with message ID 4
2015-11-28T08:43:13 13[NET] sending packet: from 172.16.115.240[4500] to 66.151.147.21[4500] (236 bytes)
2015-11-28T08:43:26 12[IKE] retransmit 3 of request with message ID 4
2015-11-28T08:43:26 12[NET] sending packet: from 172.16.115.240[4500] to 66.151.147.21[4500] (236 bytes)
2015-11-28T08:43:46 08[IKE] sending keep alive to 66.151.147.21[4500]
2015-11-28T08:43:50 16[IKE] retransmit 4 of request with message ID 4
2015-11-28T08:43:50 16[NET] sending packet: from 172.16.115.240[4500] to 66.151.147.21[4500] (236 bytes)
2015-11-28T08:43:52 17[KNL] creating acquire job for policy 172.16.115.240/32[icmp/8] === 192.168.10.2/32[icmp/0] with reqid {1}
2015-11-28T08:43:52 14[CFG] ignoring acquire, connection attempt pending
2015-11-28T08:43:53 17[KNL] creating acquire job for policy 172.16.115.240/32[icmp/8] === 192.168.10.2/32[icmp/0] with reqid {1}
2015-11-28T08:43:53 12[CFG] ignoring acquire, connection attempt pending
2015-11-28T08:43:54 17[KNL] creating acquire job for policy 172.16.115.240/32[icmp/8] === 192.168.10.2/32[icmp/0] with reqid {1}
2015-11-28T08:43:54 10[CFG] ignoring acquire, connection attempt pending
2015-11-28T08:44:10 16[IKE] sending keep alive to 66.151.147.21[4500]
2015-11-28T08:44:30 14[IKE] sending keep alive to 66.151.147.21[4500]
2015-11-28T08:44:32 12[IKE] retransmit 5 of request with message ID 4
2015-11-28T08:44:32 12[NET] sending packet: from 172.16.115.240[4500] to 66.151.147.21[4500] (236 bytes)
2015-11-28T08:44:52 10[IKE] sending keep alive to 66.151.147.21[4500]
2015-11-28T08:45:12 11[IKE] sending keep alive to 66.151.147.21[4500]
2015-11-28T08:45:32 06[IKE] sending keep alive to 66.151.147.21[4500]
2015-11-28T08:45:47 15[IKE] giving up after 5 retransmits
_______________________________________________
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151215/3aa223c4/attachment-0001.html>

More information about the Users mailing list