[strongSwan] Windows StrongSwan cannot establish CHILD_SA due to CREATE_CHILD_SA kicks in every outbound packet.

Jaehong Park jaehong.park at illumio.com
Sat Nov 28 22:09:19 CET 2015


Hi Noel.

Thanks for the response.

If you read further, you will see retry and success. I copied and pasted message from failure to success here.

See the end of log.

2015-11-28T08:42:56 13[KNL] setting WFP SA SPI failed: 0x80320035
2015-11-28T08:42:56 13[IKE] unable to install IPsec policies (SPD) in kernel
2015-11-28T08:42:56 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
2015-11-28T08:42:56 13[IKE] sending DELETE for ESP CHILD_SA with SPI cef5a6bf
2015-11-28T08:42:56 13[ENC] generating INFORMATIONAL request 2 [ D ]
2015-11-28T08:42:56 13[NET] sending packet: from 172.16.115.240[4500] to 66.151.147.21[4500] (76 bytes)
2015-11-28T08:42:57 16[NET] received packet: from 66.151.147.21[4500] to 172.16.115.240[4500] (76 bytes)
2015-11-28T08:42:57 16[ENC] parsed INFORMATIONAL response 2 [ D ]
2015-11-28T08:42:57 17[KNL] creating acquire job for policy 172.16.115.240/32[icmp/8] === 192.168.10.2/32[icmp/0] with reqid {1}
2015-11-28T08:42:57 14[IKE] establishing CHILD_SA child_a25_a26{1}
2015-11-28T08:42:57 14[ENC] generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ]
2015-11-28T08:42:57 14[NET] sending packet: from 172.16.115.240[4500] to 66.151.147.21[4500] (236 bytes)
2015-11-28T08:42:58 17[KNL] creating acquire job for policy 172.16.115.240/32[icmp/8] === 192.168.10.2/32[icmp/0] with reqid {1}
2015-11-28T08:42:58 06[CFG] ignoring acquire, connection attempt pending
2015-11-28T08:42:59 17[KNL] creating acquire job for policy 172.16.115.240/32[icmp/8] === 192.168.10.2/32[icmp/0] with reqid {1}
2015-11-28T08:42:59 08[CFG] ignoring acquire, connection attempt pending
2015-11-28T08:43:00 17[KNL] creating acquire job for policy 172.16.115.240/32[icmp/8] === 192.168.10.2/32[icmp/0] with reqid {1}
2015-11-28T08:43:00 12[CFG] ignoring acquire, connection attempt pending
2015-11-28T08:43:01 09[IKE] retransmit 1 of request with message ID 3
2015-11-28T08:43:01 09[NET] sending packet: from 172.16.115.240[4500] to 66.151.147.21[4500] (236 bytes)
2015-11-28T08:43:01 17[KNL] creating acquire job for policy 172.16.115.240/32[icmp/8] === 192.168.10.2/32[icmp/0] with reqid {1}
2015-11-28T08:43:01 05[CFG] ignoring acquire, connection attempt pending
2015-11-28T08:43:01 10[NET] received packet: from 66.151.147.21[4500] to 172.16.115.240[4500] (236 bytes)
2015-11-28T08:43:01 10[ENC] parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ]
2015-11-28T08:43:01 10[IKE] CHILD_SA child_a25_a26{6} established with SPIs ce117294_i be8f068b_o and TS 172.16.115.240/32 === 192.168.10.0/24



On Nov 28, 2015, at 10:57 AM, Noel Kuntze <noel at familie-kuntze.de<mailto:noel at familie-kuntze.de>> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Jaehong,

Your diagnosis is completely wrong. That's not the root of the problem.
It's because charon is not allowed to install the policies into the kernel.

2015-11-28T08:42:56 13[KNL] setting WFP SA SPI failed: 0x80320035
2015-11-28T08:42:56 13[IKE] unable to install IPsec policies (SPD) in kernel
2015-11-28T08:42:56 13[IKE] failed to establish CHILD_SA, keeping IKE_SA


- --

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWWfkmAAoJEDg5KY9j7GZYD5YP/RxIZIuiPY2Qqp1FYVRawmY6
QReYfbA8T1XBmoqV9L3aTpJoMt/9LraK4xS5P9nCvvrGW89W/ARibMO75h251NAH
bYqceXXmODF+lnxB/I+Irk07qLScXEPiGz1ozLCSc7HIYgnk1+QegzObgIihyzwo
Y3PVUcBYJZ29+RLxEFHDJPliyDBy0vCwAQQjtG8mg83U/mSAOQxeL2WlRMNhJCfL
KjXuA1B7835Y8mHNXgSLYKfH/HYAM/aH58oxaeQX20s8iOauycMIHDVXU3NM2EK1
syeAinXx/oFEeuyk5a7iJtPwvKtyyPlWIVOYoVI3Vkq8NQzMcPO5YaV7dK6JcOYq
lE/ujB8/8w9ZLcMTpfLxczyEMDMKBE0c7mO7s9EHAs2kAuevyvx6JGO1+x3yqdVr
cwjOm2iRKAZz6zWl/S6VXSrE4zVAicDIN0zcyxcTY/vhu+p0uHmWramG7AqFcdcc
XnetsshXdynr3eYUWOY8Z2fO8/KB9WBh/kIc0JhzahnBTwwczhi/hxuPIe1+DJ3V
nRQQXepeB7o/5c+M1yV1tHHn6RGbjWKDx8j6aFUjXWqXDdeZ47RjTBhqhid/Y5Xa
MovSpvLkYjzddv1fOChzQPSNfYz0aehwPNsVhYSCaSw9m7V6cwqT4o+bNsqIxjS8
Qj24l2QrwXymEY70vbbY
=uDlj
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151128/e66b23e7/attachment.html>


More information about the Users mailing list