[strongSwan] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 in (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists

Martin Willi martin at strongswan.org
Tue Mar 10 14:39:21 CET 2015 

On Sam, 2015-03-07 at 21:52 +0000, Tormod Macleod wrote:
> Hello,
>  
> I'm getting the above error when rekeying. I think it might be related to issue #431? I've tried the workaround of setting reauth=no but this did not resolve the issue. I have only started running into this since we started using more than one subnet in the left side of the connection.
>  
> If no traffic goes between 10.130.0.0/16 === 192.168.0.0/16 and that tunnel is never brought up the other tunnel will remain up and rekey without any problem. However, as soon as traffic goes between 10.130.0.0/16 === 192.168.0.0/16 the next rekey fails and both tunnels are brought down. If I wait a few seconds and then send traffic from the right the tunnel(s) will come back up but traffic from the left never re-establishes either tunnel. Here's the log

> 	    leftsubnet=10.176.0.0/13,10.130.0.0/16
> 	    leftid=1.1.1.1
> 	    leftfirewall=yes
> 	    right=2.2.2.2
> 	    rightsubnet=192.168.0.0/16
> 	    rightid=2.2.2.2
> 	    auto=start
> 	    ike=aes128-md5-modp1536
> 	    esp=aes128-sha1
> 	    reauth=no
> 
>  
> Here's the log entry from the device on the right (Cisco ASA 9.1(3))
>  
> Mar  4 17:01:19 [10.1.1.12.2.2] Mar 04 2015 17:01:19 Iona-VPN-FW : %ASA-4-113019: Group = 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:58m:34s, Bytes xmt: 2479, Bytes rcv: 5233, Reason: Lost Service
>  
> This is the status just prior to rekeying
>  
> Wed Mar  4 16:58:12 GMT 2015
> Status of IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-504.8.1.el6.x86_64, x86_64):
>   uptime: 55 minutes, since Mar 04 16:02:59 2015
>   malloc: sbrk 270336, mmap 0, used 215968, free 54368
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
>   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-pr
> f gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity
> Listening IP addresses:
>   10.180.0.12
> Connections:
>  Iona-VPN-FW:  10.180.0.12...2.2.2.2  IKEv2
>  Iona-VPN-FW:   local:  [1.1.1.1] uses pre-shared key authentication
>  Iona-VPN-FW:   remote: [2.2.2.2] uses pre-shared key authentication
>  Iona-VPN-FW:   child:  10.176.0.0/13 10.130.0.0/16 === 192.168.0.0/16 TUNNEL
> Security Associations (1 up, 0 connecting):
>  Iona-VPN-FW[1]: ESTABLISHED 55 minutes ago, 10.180.0.12[1.1.1.1]...2.2.2.2[2.2.2.2]
>  Iona-VPN-FW[1]: IKEv2 SPIs: 550d0c34bc66ce4e_i* da285a283fb7a4d1_r, rekeying in 23 hours
>  Iona-VPN-FW[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536
>  Iona-VPN-FW{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: ccb6a085_i ad93852a_o
>  Iona-VPN-FW{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 360 bytes_o (9 pkts, 2965s ago), rekeying in 33 seconds
>  Iona-VPN-FW{1}:   10.176.0.0/13 === 192.168.0.0/16
>  Iona-VPN-FW{2}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c01ce92f_i 0a7d4641_o
>  Iona-VPN-FW{2}:  AES_CBC_128/HMAC_SHA1_96, 2479 bytes_i (17 pkts, 3272s ago), 4873 bytes_o (15 pkts, 3272s ago), rekeying in 2 seconds
>  Iona-VPN-FW{2}:   10.130.0.0/16 === 192.168.0.0/16
>  
> Shortly afterwards it's like this
>  
> Wed Mar  4 16:58:42 GMT 2015
> Status of IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-504.8.1.el6.x86_64, x86_64):
>   uptime: 55 minutes, since Mar 04 16:02:58 2015
>   malloc: sbrk 270336, mmap 0, used 216192, free 54144
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
>   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity
> Listening IP addresses:
>   10.180.0.12
> Connections:
>  Iona-VPN-FW:  10.180.0.12...2.2.2.2  IKEv2
>  Iona-VPN-FW:   local:  [1.1.1.1] uses pre-shared key authentication
>  Iona-VPN-FW:   remote: [2.2.2.2] uses pre-shared key authentication
>  Iona-VPN-FW:   child:  10.176.0.0/13 10.130.0.0/16 === 192.168.0.0/16 TUNNEL
> Security Associations (1 up, 0 connecting):
>  Iona-VPN-FW[1]: ESTABLISHED 55 minutes ago, 10.180.0.12[1.1.1.1]...2.2.2.2[2.2.2.2]
>  Iona-VPN-FW[1]: IKEv2 SPIs: 550d0c34bc66ce4e_i* da285a283fb7a4d1_r, rekeying in 22 hours
>  Iona-VPN-FW[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536
>  Iona-VPN-FW[1]: Tasks queued: CHILD_REKEY
>  Iona-VPN-FW[1]: Tasks active: CHILD_REKEY
>  Iona-VPN-FW{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: ccb6a085_i ad93852a_o
>  Iona-VPN-FW{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 360 bytes_o (9 pkts, 2996s ago), rekeying in 2 seconds
>  Iona-VPN-FW{1}:   10.176.0.0/13 === 192.168.0.0/16
>  Iona-VPN-FW{2}:  REKEYING, TUNNEL, expires in 4 minutes
>  Iona-VPN-FW{2}:   10.130.0.0/16 === 192.168.0.0/16
> 
>  
> This is the status immediately before the tunnel is torn down
>  
> Wed Mar  4 17:00:59 GMT 2015
> Status of IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-504.8.1.el6.x86_64, x86_64):
>   uptime: 58 minutes, since Mar 04 16:02:59 2015
>   malloc: sbrk 270336, mmap 0, used 215968, free 54368
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
>   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-pr
> f gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity
> Listening IP addresses:
>   10.180.0.12
> Connections:
>  Iona-VPN-FW:  10.180.0.12...2.2.2.2  IKEv2
>  Iona-VPN-FW:   local:  [1.1.1.1] uses pre-shared key authentication
>  Iona-VPN-FW:   remote: [2.2.2.2] uses pre-shared key authentication
>  Iona-VPN-FW:   child:  10.176.0.0/13 10.130.0.0/16 === 192.168.0.0/16 TUNNEL
> Security Associations (1 up, 0 connecting):
>  Iona-VPN-FW[1]: ESTABLISHED 58 minutes ago, 10.180.0.12[1.1.1.1]...2.2.2.2[2.2.2.2]
>  Iona-VPN-FW[1]: IKEv2 SPIs: 550d0c34bc66ce4e_i* da285a283fb7a4d1_r, rekeying in 22 hours
>  Iona-VPN-FW[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536
>  Iona-VPN-FW[1]: Tasks queued: CHILD_REKEY CHILD_REKEY CHILD_REKEY
>  Iona-VPN-FW[1]: Tasks active: CHILD_REKEY
>  Iona-VPN-FW{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: ccb6a085_i ad93852a_o
>  Iona-VPN-FW{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 360 bytes_o (9 pkts, 3133s ago), rekeying active
>  Iona-VPN-FW{1}:   10.176.0.0/13 === 192.168.0.0/16
>  Iona-VPN-FW{2}:  REKEYING, TUNNEL, expires in 2 minutes
>  Iona-VPN-FW{2}:   10.130.0.0/16 === 192.168.0.0/16
> 
>  
> And seconds later once it has been torn down
>  
> Wed Mar  4 17:00:59 GMT 2015
> Status of IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-504.8.1.el6.x86_64, x86_64):
>   uptime: 58 minutes, since Mar 04 16:02:58 2015
>   malloc: sbrk 270336, mmap 0, used 208768, free 61568
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
>   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity
> Listening IP addresses:
>   10.180.0.12
> Connections:
>  Iona-VPN-FW:  10.180.0.12...2.2.2.2  IKEv2
>  Iona-VPN-FW:   local:  [1.1.1.1] uses pre-shared key authentication
>  Iona-VPN-FW:   remote: [2.2.2.2] uses pre-shared key authentication
>  Iona-VPN-FW:   child:  10.176.0.0/13 10.130.0.0/16 === 192.168.0.0/16 TUNNEL
> Security Associations (0 up, 0 connecting):
>   none
>  
> Feedback welcome.
>  
> 
> Tormod
>  
> 
> 
> 
> Please consider the environment before printing this email
> 
> *********************************************************************
>   This e-mail and any attachments are confidential.  If it is not for you, please inform us and delete it immediately without disclosing, copying, or distributing it.  If the content is not about the business of PayWizard Group PLC or its clients, then it is neither from nor sanctioned by PayWizard Group PLC.  Use of this or any other PayWizard Group PLC e-mail facility signifies consent to interception by PayWizard Group PLC.  The views expressed in this email or any attachments may not reflect the views and opinions of PayWizard Group PLC.  This message has been scanned for viruses and dangerous content by MailScanner, but PayWizard Group PLC accepts no liability for any damage caused by the transmission of any viruses.  PayWizard Group PLC is a public limited company registered in Scotland (SC175703) with its registered office at Cluny Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ.  ********************************************************************
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list