[strongSwan] unable to install policy ... the same policy for reqid XXX exists

Andreas Hofmeister andi at collax.com
Wed Aug 17 18:50:57 CEST 2016


Hi all,

in a kind of "hub-and-spoke" setup, client re-connection sometimes fails 
with an error message on the hub

   unable to install policy ...  the same policy for reqid YYY exists.

Here how to reproduce:

Initial Situation on the hub "gwsite2":

---8<---
root at gwsite2:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.0, Linux 4.4.17-cx, x86_64):
   uptime: 95 minutes, since Aug 17 15:55:58 2016
   malloc: sbrk 2568192, mmap 0, used 377184, free 2191008
   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 0
   loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey 
pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve 
socket-default stroke vici updown eap-gtc xauth-generic xauth-pam
Listening IP addresses:
   192.168.2.1
   172.16.252.2
   172.16.5.32
Connections:
  Intersite_1:  %any...%any  IKEv1/2
  Intersite_1:   local:  [C=DE, O=Example Org, OU=R%D, 
CN=gwsite2.test.example.com] uses public key authentication
  Intersite_1:    cert:  "C=DE, O=Example Org, OU=R%D, 
CN=gwsite2.test.example.com"
  Intersite_1:   remote: [C=DE, O=Example Org, OU=R%D, 
CN=ai.example.com] uses public key authentication
  Intersite_1:    cert:  "C=DE, O=Example Org, OU=R%D, CN=ai.example.com"
  Intersite_1:   child:  192.168.0.0/16 === 192.168.3.0/24 TUNNEL
Intersite2_1:  %any...%any  IKEv1/2
Intersite2_1:   local:  [C=DE, O=Example Org, OU=R%D, 
CN=gwsite2.test.example.com] uses public key authentication
Intersite2_1:    cert:  "C=DE, O=Example Org, OU=R%D, 
CN=gwsite2.test.example.com"
Intersite2_1:   remote: [C=DE, CN=gwsite1] uses public key authentication
Intersite2_1:    cert:  "C=DE, CN=gwsite1"
Intersite2_1:   child:  192.168.2.0/24 === 192.168.0.0/16 TUNNEL
Intersite2_2:   child:  192.168.3.0/24 === 192.168.0.0/16 TUNNEL
Security Associations (0 up, 0 connecting):
   none
--->8---

Now

1. let client for "Intersite" connect (ai)
2. let client for "Intersie2" connect (gwsite1)

Note: The order of actions matter !

This works fine, the situation on the hub is now:

---8<---
root at gwsite2:~# ipsec statusall
...
Security Associations (2 up, 0 connecting):
Intersite2_1[260]: ESTABLISHED 7 seconds ago, 172.16.252.2[C=DE, 
O=Example Org, OU=R%D, CN=gwsite2.test.example.com]...172.16.251.2[C=DE, 
CN=gwsite1]
Intersite2_1[260]: IKEv1 SPIs: d4c9e722b74fb309_i 9402edf3fafc2add_r*, 
rekeying disabled
Intersite2_1[260]: IKE proposal: 
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Intersite2_1{267}:  INSTALLED, TUNNEL, reqid 266, ESP SPIs: c1bb151f_i 
c8df229d_o
Intersite2_1{267}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 
bytes_o, rekeying disabled
Intersite2_1{267}:   192.168.2.0/24 === 192.168.0.0/16
Intersite2_2{268}:  INSTALLED, TUNNEL, reqid 267, ESP SPIs: cc49fb1c_i 
c52e3b45_o
Intersite2_2{268}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 
bytes_o, rekeying disabled
Intersite2_2{268}:   192.168.3.0/24 === 192.168.0.0/16
  Intersite_1[259]: ESTABLISHED 55 seconds ago, 172.16.252.2[C=DE, 
O=Example Org, OU=R%D, CN=gwsite2.test.example.com]...172.16.249.2[C=DE, 
O=Example Org, OU=R%D, CN=ai.example.com]
  Intersite_1[259]: IKEv1 SPIs: c74bdf3cb7e2e43f_i 5c4c1be544edcb09_r*, 
rekeying disabled
  Intersite_1[259]: IKE proposal: 
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
  Intersite_1{266}:  INSTALLED, TUNNEL, reqid 265, ESP SPIs: c6a29921_i 
c9cb4bff_o
  Intersite_1{266}:  AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 
bytes_o, rekeying disabled
  Intersite_1{266}:   192.168.0.0/16 === 192.168.3.0/24

root at gwsite2:~# ip xfrm pol
src 192.168.0.0/16 dst 192.168.3.0/24
         dir fwd priority 189760 ptype main
         tmpl src 172.16.251.2 dst 172.16.252.2
                 proto esp reqid 267 mode tunnel
src 192.168.0.0/16 dst 192.168.3.0/24
         dir in priority 189760 ptype main
         tmpl src 172.16.251.2 dst 172.16.252.2
                 proto esp reqid 267 mode tunnel
src 192.168.3.0/24 dst 192.168.0.0/16
         dir out priority 189760 ptype main
         tmpl src 172.16.252.2 dst 172.16.251.2
                 proto esp reqid 267 mode tunnel
src 192.168.2.0/24 dst 192.168.0.0/16
         dir fwd priority 289760 ptype main
src 192.168.0.0/16 dst 192.168.2.0/24
         dir fwd priority 189760 ptype main
         tmpl src 172.16.251.2 dst 172.16.252.2
                 proto esp reqid 266 mode tunnel
src 192.168.0.0/16 dst 192.168.2.0/24
         dir in priority 189760 ptype main
         tmpl src 172.16.251.2 dst 172.16.252.2
                 proto esp reqid 266 mode tunnel
src 192.168.2.0/24 dst 192.168.0.0/16
         dir out priority 189760 ptype main
         tmpl src 172.16.252.2 dst 172.16.251.2
                 proto esp reqid 266 mode tunnel
src 192.168.3.0/24 dst 192.168.0.0/16
         dir fwd priority 189760 ptype main
         tmpl src 172.16.249.2 dst 172.16.252.2
                 proto esp reqid 265 mode tunnel
src 192.168.3.0/24 dst 192.168.0.0/16
         dir in priority 189760 ptype main
         tmpl src 172.16.249.2 dst 172.16.252.2
                 proto esp reqid 265 mode tunnel
src 192.168.0.0/16 dst 192.168.3.0/24
         dir out priority 189760 ptype main
         tmpl src 172.16.252.2 dst 172.16.249.2
                 proto esp reqid 265 mode tunnel
...
--->8---

Now disconnect client for "Intersite" (ai), the situation after 
disconnect is:

---8<---
root at gwsite2:~# ipsec statusall
...
Security Associations (1 up, 0 connecting):
Intersite2_1[260]: ESTABLISHED 3 minutes ago, 172.16.252.2[C=DE, 
O=Example Org, OU=R%D, CN=gwsite2.test.example.com]...172.16.251.2[C=DE, 
CN=gwsite1]
Intersite2_1[260]: IKEv1 SPIs: d4c9e722b74fb309_i 9402edf3fafc2add_r*, 
rekeying disabled
Intersite2_1[260]: IKE proposal: 
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Intersite2_1{267}:  INSTALLED, TUNNEL, reqid 266, ESP SPIs: c1bb151f_i 
c8df229d_o
Intersite2_1{267}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 
bytes_o, rekeying disabled
Intersite2_1{267}:   192.168.2.0/24 === 192.168.0.0/16
Intersite2_2{268}:  INSTALLED, TUNNEL, reqid 267, ESP SPIs: cc49fb1c_i 
c52e3b45_o
Intersite2_2{268}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 
bytes_o, rekeying disabled
Intersite2_2{268}:   192.168.3.0/24 === 192.168.0.0/16

root at gwsite2:~# ip xfrm pol
src 192.168.3.0/24 dst 192.168.0.0/16
         dir fwd priority 289760 ptype main
src 192.168.0.0/16 dst 192.168.3.0/24
         dir fwd priority 189760 ptype main
         tmpl src 172.16.251.2 dst 172.16.252.2
                 proto esp reqid 267 mode tunnel
src 192.168.0.0/16 dst 192.168.3.0/24
         dir in priority 189760 ptype main
         tmpl src 172.16.251.2 dst 172.16.252.2
                 proto esp reqid 267 mode tunnel
src 192.168.3.0/24 dst 192.168.0.0/16
         dir out priority 189760 ptype main
         tmpl src 172.16.252.2 dst 172.16.251.2
                 proto esp reqid 267 mode tunnel
src 192.168.2.0/24 dst 192.168.0.0/16
         dir fwd priority 289760 ptype main
src 192.168.0.0/16 dst 192.168.2.0/24
         dir fwd priority 189760 ptype main
         tmpl src 172.16.251.2 dst 172.16.252.2
                 proto esp reqid 266 mode tunnel
src 192.168.0.0/16 dst 192.168.2.0/24
         dir in priority 189760 ptype main
         tmpl src 172.16.251.2 dst 172.16.252.2
                 proto esp reqid 266 mode tunnel
src 192.168.2.0/24 dst 192.168.0.0/16
         dir out priority 189760 ptype main
         tmpl src 172.16.252.2 dst 172.16.251.2
                 proto esp reqid 266 mode tunnel
...
--->8---

Finally, let client for  "Intersite" (ai) connect again. Establishment 
of the IKE SA works, setting up the Child SA however fails, "charon" says:

---8<---
gwsite2 charon[]: 07[CFG] unable to install policy 192.168.3.0/24 === 
192.168.0.0/16 fwd for reqid 268, the same policy for reqid 265 exists
--->8---

As you can see from the last "ip xfrm pol" output, the kernel seems not 
to know
anything about reqid 265 anymore, that reqid was used for the previous
connection from that client though.

The situation persist unless

a) the connection from the other client (gwsite1) is terminated or
b) chron is restarted.


TIA
   Andreas Hofmeister.


More information about the Users mailing list