[strongSwan] XfrmInNoStates error for dpd packets without 'forceencaps=yes'

Fri Jan 23 07:19:00 CET 2015

Hi,

I have a simple setup like this:
 NodeA (eth3) === (eth3) NodeB

The nodes are connected by a single cable, there are no firewalls in between.
Also, there are no additional rules in the iptables on both ends.

Both nodes are using strongswan for configuring IKEv2.
Kernel version is 2.6.34.15-WR4.3; with CONFIG_AUDITSYSCALL=y and
CONFIG_XFRM_STATISTICS=y.

NodeB had dpd configured.
Now when I keep the tunnel idle after establishing CHILD_SAs, dpd
packets are sent to NodeA every 20s (ddpdelay).
For each dpd packet (i.e, for each dpd request on NodeA; and for each
dpd reply on NodeB), the counter XfrmInNoStates of /proc/net/xfrm_stat
gets incremented by one.

Also, I can see an audit log like below, the seqno and spi in the logs
is some random number.
 audispd: node=CLA-0 type=MAC_IPSEC_EVENT
msg=audit(1420011883.700:1106): op=SA-notfound src=20.0.0.2
dst=20.0.0.1 spi=3499933978(0xd09cc11a) seqno=3864278224

Apart from this, there is no functionality issue observed. IPSec is
working fine.

I have verified with tcpdump that, at the time of audit log appearing,
only dpd packets are flowing.

Later, I tried adding the option "forceencaps=yes" on the conf files
of both ends, and this issue disappears.
But since there is no NAT situation in my setup, I do not want to
force UDP encapsulation for ESP packets, and this would be unnecessary
performance overhead.

Any thoughts on what could be causing this?

Configuration of NodeA:
========================
config setup
        charonstart=yes
        plutostart=no
        uniqueids=no
        charondebug="knl 0,enc 0,net 0"
conn %default
        auto=route
        keyexchange=ikev2
        reauth=no
conn r1~v1
        rekeymargin=30
        rekeyfuzz=100%
        left=20.0.0.1
        right=20.0.0.2
        leftsubnet=20.0.0.0/24
        rightsubnet=20.0.0.0/24
        leftprotoport=1
        rightprotoport=1
        authby=secret
        leftid=20.0.0.1
        rightid=%any
        ike=3des-sha1-modp768!
        esp=3des-md5!
        type=tunnel
        ikelifetime=600s
        keylife=300s
        mobike=no
        auto=route
        reauth=no

Configuration of NodeB:
=======================
config setup
        charonstart=yes
        plutostart=no
        uniqueids=no
        charondebug="knl 0,enc 0,net 0"
conn %default
        auto=route
        keyexchange=ikev2
        reauth=no
conn r1~v1
        rekeymargin=30
        rekeyfuzz=100%
        left=20.0.0.2
        right=20.0.0.1
        leftsubnet=20.0.0.0/24
        rightsubnet=20.0.0.0/24
        leftprotoport=1
        rightprotoport=1
        authby=secret
        leftid=20.0.0.2
        rightid=%any
        ike=3des-sha1-modp768!
        esp=3des-md5!
        type=tunnel
        ikelifetime=600s
        keylife=300s
        dpdaction=clear
        dpddelay=20
        mobike=no
        auto=route
        reauth=no

- Divya