[strongSwan] Charon is creating CHILD_SA even after a connection is deleted.

divya mohan m.divya.mohan at zoho.com
Sun Jul 26 12:30:30 CEST 2015 

Hi,

My ipsec.conf has multiple connections (around 100), I'm listing only
the relevant ones here.

I'm deleting a particular connection (PROTECT-BTSSM2~MPLANE2) and I
can see from the logs that this connection is deleted, terminated,
unrouted and the kernel polices are being removed (at 14:03:45).
Still a CHILD_SA is successfully established with this connection (at 14:03:46).

This is unexpected behavior; deletion of a connection should cause
associated SAs to be removed, and no new SA should be further
established.
Could you please let me know if any parameter in ipsec.conf could be
tuned to prevent this.

Conf:

conn %default
        auto=route
        keyexchange=ikev2
        reauth=no

conn PROTECT-BTSSM2~MPLANE2
        rekeymargin=8640
        rekeyfuzz=100%
        left=10.10.40.1
        right=10.10.40.4
        leftsubnet=10.10.40.1/32
        rightsubnet=0.0.0.0/0
        leftprotoport=6/12000
        rightprotoport=6
        authby=rsasig
        leftcert="/etc/ipsec/certs/ipsec.d//certs/defaultCertificate.pem"
        leftid=%fromcert
        rightid=%any
        ike=aes128-sha1-modp1024!
        esp=aes128-sha1!
        type=tunnel
        ikelifetime=86400s
        keylife=86400s
        dpdaction=restart
        dpddelay=120
        mobike=no
        auto=route
        reauth=no
        encapdscp=yes

Log:
Jul 26 14:03:45.298562 info FCPU-0 charon: 10[CFG] received stroke:
delete connection 'PROTECT-BTSSM2~MPLANE2'
Jul 26 14:03:45.298562 info FCPU-0 charon: 10[CFG] connection
'PROTECT-BTSSM2~MPLANE2' not found
Jul 26 14:03:45.298775 info FCPU-0 charon: 09[CFG] received stroke:
terminate 'PROTECT-BTSSM2~MPLANE2{*}'
Jul 26 14:03:45.298913 info FCPU-0 charon: 09[CFG] no CHILD_SA named
'PROTECT-BTSSM2~MPLANE2' found
Jul 26 14:03:45.299097 info FCPU-0 charon: 15[CFG] received stroke:
unroute 'PROTECT-BTSSM2~MPLANE2'
Jul 26 14:03:45.301183 info FCPU-0 charon: 15[KNL] deleting policy
10.10.40.1/32[tcp/12000] === 0.0.0.0/0[tcp] out
Jul 26 14:03:45.304423 info FCPU-0 charon: 15[KNL] deleting policy
0.0.0.0/0[tcp] === 10.10.40.1/32[tcp/12000] in

Jul 26 14:03:45.717999 info FCPU-0 charon: 14[CFG] looking for a child
config for 0.0.0.0/0[tcp] === 10.10.40.4/32[tcp/https]

Jul 26 14:03:46.655710 info FCPU-0 charon: 14[CFG] found matching
child config "PROTECT-BTSSM2~MPLANE2" with prio 2
Jul 26 14:03:46.655710 info FCPU-0 charon: 14[CFG] selecting proposal:
Jul 26 14:03:46.655899 info FCPU-0 charon: 14[CFG]   proposal matches
Jul 26 14:03:46.655899 info FCPU-0 charon: 14[CFG] received proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Jul 26 14:03:46.656054 info FCPU-0 charon: 14[CFG] configured
proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Jul 26 14:03:46.656213 info FCPU-0 charon: 14[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Jul 26 14:03:46.656213 info FCPU-0 charon: 14[KNL] getting SPI for reqid {162}
Jul 26 14:03:46.656372 info FCPU-0 charon: 14[KNL] got SPI c9483795
for reqid {162}
Jul 26 14:03:46.656538 info FCPU-0 charon: 14[CFG] selecting traffic
selectors for us:
Jul 26 14:03:46.660156 info FCPU-0 charon: 14[CFG]  config:
10.10.40.1/32[tcp/12000], received: 0.0.0.0/0[tcp] => match:
10.10.40.1/32[tcp/12000]
Jul 26 14:03:46.662218 info FCPU-0 charon: 14[CFG] selecting traffic
selectors for other:
Jul 26 14:03:46.663843 info FCPU-0 charon: 14[CFG]  config:
0.0.0.0/0[tcp], received: 10.10.40.4/32[tcp/https] => match:
10.10.40.4/32[tcp/https]
Jul 26 14:03:46.665173 info FCPU-0 charon: 14[KNL] adding SAD entry
with SPI c9483795 and reqid {162}
Jul 26 14:03:46.665414 info FCPU-0 charon: 14[KNL]   using encryption
algorithm AES_CBC with key size 128
Jul 26 14:03:46.665414 info FCPU-0 charon: 14[KNL]   using integrity
algorithm HMAC_SHA1_96 with key size 160
Jul 26 14:03:46.665850 info FCPU-0 charon: 14[KNL] adding SAD entry
with SPI c7f99feb and reqid {162}
Jul 26 14:03:46.665850 info FCPU-0 charon: 14[KNL]   using encryption
algorithm AES_CBC with key size 128
Jul 26 14:03:46.665850 info FCPU-0 charon: 14[KNL]   using integrity
algorithm HMAC_SHA1_96 with key size 160
Jul 26 14:03:46.668522 info FCPU-0 charon: 14[KNL] adding policy
10.10.40.1/32[tcp/12000] === 10.10.40.4/32[tcp/https] out
Jul 26 14:03:46.672690 info FCPU-0 charon: 14[KNL] adding policy
10.10.40.4/32[tcp/https] === 10.10.40.1/32[tcp/12000] in
Jul 26 14:03:46.676765 info FCPU-0 charon: 14[IKE] CHILD_SA
PROTECT-BTSSM2~MPLANE2{162} established with SPIs c9483795_i
c7f99feb_o and TS 10.10.40.1/32[tcp/12000] ===
10.10.40.4/32[tcp/https]


- Divya





- Divya

More information about the Users mailing list