[strongSwan] farp problem

Harald Dunkel harald.dunkel at aixigo.de
Wed Jun 28 16:22:43 CEST 2017


Hi folks,

Consider a road warrior setup (>20 peers online). Strongswan 5.5.3 on
Debian 8. The right addresses are grabbed via dhcp, farp is supposed
to answer the arp requests.

Problem is, sometimes farp ignores the arp requests for one (or more?)
IP address bound to a child SA.

I saw this on my IPsec gateway, for example:


# ipsec statusall
:
 IPSec-IKEv2[2772]: ESTABLISHED 85 minutes ago, 2001:db8:13b0:ffff::63[gate.example.com]...2001:db8:30:fff0:ed29:6621:7cf8:6387[ppcm005.example.de]
 IPSec-IKEv2[2772]: IKEv2 SPIs: b6cf4a195efbe943_i 90855da73ac9b14c_r*, public key reauthentication in 22 hours
 IPSec-IKEv2[2772]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
 IPSec-IKEv2{4107}:  INSTALLED, TUNNEL, reqid 2323, ESP SPIs: c68adec6_i 0bf997dc_o
 IPSec-IKEv2{4107}:  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 741797 bytes_i (5250 pkts, 0s ago), 1479117 bytes_o (1653 pkts, 1666s ago), rekeying in 21 minutes
 IPSec-IKEv2{4107}:   x.xxx.142.192/26 10.47.11.0/24 yy.yy.169.96/27 10.19.96.0/19 10.22.111.0/24 10.23.15.0/24 zzz.zz.32.0/27 === 10.19.97.55/32
:

The IP address bound to the peer is 10.19.97.55 in this case. tcpdump
shows the incoming arp request, but they are not answered:


# tcpdump -i eth1 -env arp and host 10.19.97.55
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
15:12:17.654382 00:16:5a:xx:ce:a9 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.19.97.55 tell 10.19.96.124, length 46
15:12:17.785501 00:20:8c:xx:51:83 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.19.97.55 tell 10.19.96.11, length 46
15:12:18.805539 00:20:8c:xx:51:83 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.19.97.55 tell 10.19.96.11, length 46
15:12:19.869832 00:1e:67:xx:9b:a9 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.19.97.55 tell 10.19.98.253, length 46
15:12:20.677828 00:1e:67:xx:9b:a9 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.19.97.55 tell 10.19.98.253, length 46
15:12:20.826525 00:20:8c:xx:51:83 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.19.97.55 tell 10.19.96.11, length 46
15:12:21.676258 00:1e:67:xx:9b:a9 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.19.97.55 tell 10.19.98.253, length 46
15:12:21.845542 00:20:8c:xx:51:83 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.19.97.55 tell 10.19.96.11, length 46
15:12:22.869629 00:20:8c:xx:51:83 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.19.97.55 tell 10.19.96.11, length 46
15:12:23.611081 00:16:5a:xx:ce:a9 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.19.97.55 tell 10.19.96.124, length 46
15:12:24.610385 00:16:5a:xx:ce:a9 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.19.97.55 tell 10.19.96.124, length 46
^C
11 packets captured
12 packets received by filter
0 packets dropped by kernel

Farp answers the arp requests for the other road warrior IP addresses
(not shown here). "arp" on the gateway shows "incomplete" for all road
warrior IP addresses.

The problem in this example came up after more than 70 minutes uptime
of the IPsec connection to this peer (AFAIK). The peer is a Mac.


By now I haven't found a way to reproduce this problem, but it will
come back. Has any body seen something similar?


Every helpful hint would be highly appreciated.
Harri


More information about the Users mailing list