[strongSwan] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 in (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists
Tormod Macleod
TMacleod at paywizard.com
Sat Mar 7 22:52:38 CET 2015
Hello,
I'm getting the above error when rekeying. I think it might be related to issue #431? I've tried the workaround of setting reauth=no but this did not resolve the issue. I have only started running into this since we started using more than one subnet in the left side of the connection.
If no traffic goes between 10.130.0.0/16 === 192.168.0.0/16 and that tunnel is never brought up the other tunnel will remain up and rekey without any problem. However, as soon as traffic goes between 10.130.0.0/16 === 192.168.0.0/16 the next rekey fails and both tunnels are brought down. If I wait a few seconds and then send traffic from the right the tunnel(s) will come back up but traffic from the left never re-establishes either tunnel. Here's the log
Mar 4 16:57:18 ip-10-180-0-12 charon: 14[NET] sending packet: from 10.180.0.12[4500] to 2.2.2.2[4500] (76 bytes)
Mar 4 16:57:37 ip-10-180-0-12 charon: 12[IKE] sending keep alive to 2.2.2.2[4500]
Mar 4 16:57:38 ip-10-180-0-12 charon: 09[NET] received packet: from 2.2.2.2[4500] to 10.180.0.12[4500] (76 bytes)
Mar 4 16:57:38 ip-10-180-0-12 charon: 09[ENC] parsed INFORMATIONAL request 172 [ ]
Mar 4 16:57:38 ip-10-180-0-12 charon: 09[ENC] generating INFORMATIONAL response 172 [ ]
Mar 4 16:57:38 ip-10-180-0-12 charon: 09[NET] sending packet: from 10.180.0.12[4500] to 2.2.2.2[4500] (76 bytes)
Mar 4 16:57:57 ip-10-180-0-12 charon: 02[IKE] sending keep alive to 2.2.2.2[4500]
Mar 4 16:57:58 ip-10-180-0-12 charon: 10[NET] received packet: from 2.2.2.2[4500] to 10.180.0.12[4500] (76 bytes)
Mar 4 16:57:58 ip-10-180-0-12 charon: 10[ENC] parsed INFORMATIONAL request 173 [ ]
Mar 4 16:57:58 ip-10-180-0-12 charon: 10[ENC] generating INFORMATIONAL response 173 [ ]
Mar 4 16:57:58 ip-10-180-0-12 charon: 10[NET] sending packet: from 10.180.0.12[4500] to 2.2.2.2[4500] (76 bytes)
Mar 4 16:58:14 ip-10-180-0-12 charon: 16[KNL] creating rekey job for ESP CHILD_SA with SPI 0a7d4641 and reqid {2}
Mar 4 16:58:14 ip-10-180-0-12 charon: 16[IKE] establishing CHILD_SA Iona-VPN-FW{2}
Mar 4 16:58:14 ip-10-180-0-12 charon: 16[ENC] generating CREATE_CHILD_SA request 2 [ N(REKEY_SA) SA No TSi TSr ]
Mar 4 16:58:14 ip-10-180-0-12 charon: 16[NET] sending packet: from 10.180.0.12[4500] to 2.2.2.2[4500] (332 bytes)
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[NET] received packet: from 2.2.2.2[4500] to 10.180.0.12[4500] (236 bytes)
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[ENC] parsed CREATE_CHILD_SA response 2 [ SA No TSi TSr ]
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 10.176.0.0/13 === 192.168.0.0/16 out (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 in (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 fwd (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 10.176.0.0/13 === 192.168.0.0/16 out (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 in (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 fwd (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[IKE] unable to install IPsec policies (SPD) in kernel
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[KNL] deleting policy 10.176.0.0/13 === 192.168.0.0/16 out failed, not found
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[KNL] deleting policy 192.168.0.0/16 === 10.176.0.0/13 in failed, not found
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[KNL] deleting policy 192.168.0.0/16 === 10.176.0.0/13 fwd failed, not found
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[KNL] deleting policy 10.176.0.0/13 === 192.168.0.0/16 out failed, not found
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[KNL] deleting policy 192.168.0.0/16 === 10.176.0.0/13 in failed, not found
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[KNL] deleting policy 192.168.0.0/16 === 10.176.0.0/13 fwd failed, not found
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[ENC] generating INFORMATIONAL request 3 [ N(REKEY_SA) ]
Mar 4 16:58:14 ip-10-180-0-12 charon: 09[NET] sending packet: from 10.180.0.12[4500] to 2.2.2.2[4500] (76 bytes)
Mar 4 16:58:16 ip-10-180-0-12 charon: 08[KNL] creating rekey job for ESP CHILD_SA with SPI c01ce92f and reqid {2}
Mar 4 16:58:18 ip-10-180-0-12 charon: 13[IKE] retransmit 1 of request with message ID 3
Mar 4 16:58:18 ip-10-180-0-12 charon: 13[NET] sending packet: from 10.180.0.12[4500] to 2.2.2.2[4500] (76 bytes)
Mar 4 16:58:18 ip-10-180-0-12 charon: 10[NET] received packet: from 2.2.2.2[4500] to 10.180.0.12[4500] (76 bytes)
Mar 4 16:58:18 ip-10-180-0-12 charon: 10[ENC] parsed INFORMATIONAL request 174 [ ]
Mar 4 16:58:18 ip-10-180-0-12 charon: 10[ENC] generating INFORMATIONAL response 174 [ ]
Here's the ipsec.conf
config setup
# strictcrlpolicy=yes
# uniqueids=no
conn Iona-VPN-FW
ikelifetime=1440m
keylife=60m
margintime=3m
keyingtries=5
keyexchange=ikev2
authby=secret
left=10.180.0.12
leftsubnet=10.176.0.0/13,10.130.0.0/16
leftid=1.1.1.1
leftfirewall=yes
right=2.2.2.2
rightsubnet=192.168.0.0/16
rightid=2.2.2.2
auto=start
ike=aes128-md5-modp1536
esp=aes128-sha1
reauth=no
Here's the log entry from the device on the right (Cisco ASA 9.1(3))
Mar 4 17:01:19 [10.1.1.12.2.2] Mar 04 2015 17:01:19 Iona-VPN-FW : %ASA-4-113019: Group = 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:58m:34s, Bytes xmt: 2479, Bytes rcv: 5233, Reason: Lost Service
This is the status just prior to rekeying
Wed Mar 4 16:58:12 GMT 2015
Status of IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-504.8.1.el6.x86_64, x86_64):
uptime: 55 minutes, since Mar 04 16:02:59 2015
malloc: sbrk 270336, mmap 0, used 215968, free 54368
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-pr
f gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity
Listening IP addresses:
10.180.0.12
Connections:
Iona-VPN-FW: 10.180.0.12...2.2.2.2 IKEv2
Iona-VPN-FW: local: [1.1.1.1] uses pre-shared key authentication
Iona-VPN-FW: remote: [2.2.2.2] uses pre-shared key authentication
Iona-VPN-FW: child: 10.176.0.0/13 10.130.0.0/16 === 192.168.0.0/16 TUNNEL
Security Associations (1 up, 0 connecting):
Iona-VPN-FW[1]: ESTABLISHED 55 minutes ago, 10.180.0.12[1.1.1.1]...2.2.2.2[2.2.2.2]
Iona-VPN-FW[1]: IKEv2 SPIs: 550d0c34bc66ce4e_i* da285a283fb7a4d1_r, rekeying in 23 hours
Iona-VPN-FW[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536
Iona-VPN-FW{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: ccb6a085_i ad93852a_o
Iona-VPN-FW{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 360 bytes_o (9 pkts, 2965s ago), rekeying in 33 seconds
Iona-VPN-FW{1}: 10.176.0.0/13 === 192.168.0.0/16
Iona-VPN-FW{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: c01ce92f_i 0a7d4641_o
Iona-VPN-FW{2}: AES_CBC_128/HMAC_SHA1_96, 2479 bytes_i (17 pkts, 3272s ago), 4873 bytes_o (15 pkts, 3272s ago), rekeying in 2 seconds
Iona-VPN-FW{2}: 10.130.0.0/16 === 192.168.0.0/16
Shortly afterwards it's like this
Wed Mar 4 16:58:42 GMT 2015
Status of IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-504.8.1.el6.x86_64, x86_64):
uptime: 55 minutes, since Mar 04 16:02:58 2015
malloc: sbrk 270336, mmap 0, used 216192, free 54144
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity
Listening IP addresses:
10.180.0.12
Connections:
Iona-VPN-FW: 10.180.0.12...2.2.2.2 IKEv2
Iona-VPN-FW: local: [1.1.1.1] uses pre-shared key authentication
Iona-VPN-FW: remote: [2.2.2.2] uses pre-shared key authentication
Iona-VPN-FW: child: 10.176.0.0/13 10.130.0.0/16 === 192.168.0.0/16 TUNNEL
Security Associations (1 up, 0 connecting):
Iona-VPN-FW[1]: ESTABLISHED 55 minutes ago, 10.180.0.12[1.1.1.1]...2.2.2.2[2.2.2.2]
Iona-VPN-FW[1]: IKEv2 SPIs: 550d0c34bc66ce4e_i* da285a283fb7a4d1_r, rekeying in 22 hours
Iona-VPN-FW[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536
Iona-VPN-FW[1]: Tasks queued: CHILD_REKEY
Iona-VPN-FW[1]: Tasks active: CHILD_REKEY
Iona-VPN-FW{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: ccb6a085_i ad93852a_o
Iona-VPN-FW{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 360 bytes_o (9 pkts, 2996s ago), rekeying in 2 seconds
Iona-VPN-FW{1}: 10.176.0.0/13 === 192.168.0.0/16
Iona-VPN-FW{2}: REKEYING, TUNNEL, expires in 4 minutes
Iona-VPN-FW{2}: 10.130.0.0/16 === 192.168.0.0/16
This is the status immediately before the tunnel is torn down
Wed Mar 4 17:00:59 GMT 2015
Status of IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-504.8.1.el6.x86_64, x86_64):
uptime: 58 minutes, since Mar 04 16:02:59 2015
malloc: sbrk 270336, mmap 0, used 215968, free 54368
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-pr
f gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity
Listening IP addresses:
10.180.0.12
Connections:
Iona-VPN-FW: 10.180.0.12...2.2.2.2 IKEv2
Iona-VPN-FW: local: [1.1.1.1] uses pre-shared key authentication
Iona-VPN-FW: remote: [2.2.2.2] uses pre-shared key authentication
Iona-VPN-FW: child: 10.176.0.0/13 10.130.0.0/16 === 192.168.0.0/16 TUNNEL
Security Associations (1 up, 0 connecting):
Iona-VPN-FW[1]: ESTABLISHED 58 minutes ago, 10.180.0.12[1.1.1.1]...2.2.2.2[2.2.2.2]
Iona-VPN-FW[1]: IKEv2 SPIs: 550d0c34bc66ce4e_i* da285a283fb7a4d1_r, rekeying in 22 hours
Iona-VPN-FW[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536
Iona-VPN-FW[1]: Tasks queued: CHILD_REKEY CHILD_REKEY CHILD_REKEY
Iona-VPN-FW[1]: Tasks active: CHILD_REKEY
Iona-VPN-FW{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: ccb6a085_i ad93852a_o
Iona-VPN-FW{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 360 bytes_o (9 pkts, 3133s ago), rekeying active
Iona-VPN-FW{1}: 10.176.0.0/13 === 192.168.0.0/16
Iona-VPN-FW{2}: REKEYING, TUNNEL, expires in 2 minutes
Iona-VPN-FW{2}: 10.130.0.0/16 === 192.168.0.0/16
And seconds later once it has been torn down
Wed Mar 4 17:00:59 GMT 2015
Status of IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-504.8.1.el6.x86_64, x86_64):
uptime: 58 minutes, since Mar 04 16:02:58 2015
malloc: sbrk 270336, mmap 0, used 208768, free 61568
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity
Listening IP addresses:
10.180.0.12
Connections:
Iona-VPN-FW: 10.180.0.12...2.2.2.2 IKEv2
Iona-VPN-FW: local: [1.1.1.1] uses pre-shared key authentication
Iona-VPN-FW: remote: [2.2.2.2] uses pre-shared key authentication
Iona-VPN-FW: child: 10.176.0.0/13 10.130.0.0/16 === 192.168.0.0/16 TUNNEL
Security Associations (0 up, 0 connecting):
none
Feedback welcome.
Tormod
Please consider the environment before printing this email
*********************************************************************
This e-mail and any attachments are confidential. If it is not for you, please inform us and delete it immediately without disclosing, copying, or distributing it. If the content is not about the business of PayWizard Group PLC or its clients, then it is neither from nor sanctioned by PayWizard Group PLC. Use of this or any other PayWizard Group PLC e-mail facility signifies consent to interception by PayWizard Group PLC. The views expressed in this email or any attachments may not reflect the views and opinions of PayWizard Group PLC. This message has been scanned for viruses and dangerous content by MailScanner, but PayWizard Group PLC accepts no liability for any damage caused by the transmission of any viruses. PayWizard Group PLC is a public limited company registered in Scotland (SC175703) with its registered office at Cluny Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ. ********************************************************************
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150307/344a5f01/attachment-0001.html>
More information about the Users
mailing list