[strongSwan] Lots of reconnections for a rekey/reauth, and packet drops
Hoggins!
hoggins at radiom.fr
Tue Nov 28 17:15:25 CET 2017
Hello,
We're experiencing something new on our installation, and we can't
figure out why. Here's the thing : we have NODE 1 and NODE 2
establishing tunnels (ipsec.conf follows), all working well. Except
every rekeying/reauth, we now lose packets.
Why now ? Well, we have restarted NODE 1, changing from a 4.4.8 to a
4.9.2 kernel, but Strongswan version did not change, it's still "Linux
strongSwan U5.5.1/K4.9.2". On NODE 2, version is "Linux strongSwan
U5.6.0/K4.13.4-200.fc26.x86_64".
Should we update the 5.5.1 one ? I mean we surely should, but is there
any know issue that could be caused by this version difference ?
On both sides, make_before_break is set to yes in charon.conf
Configuration on NODE 1 :
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=%forever
authby=secret
keyexchange=ikev2
mobike=no
reauth=no
ikedscp=101110
conn net-net
auto=start
left=%defaultroute
leftsubnet=192.168.22.0/24,192.168.35.0/24
leftid=netnetYomama
leftfirewall=yes
right=1.2.3.4
rightsubnet=192.168.55.0/24,192.168.33.0/24,192.168.66.0/24
closeaction=restart
dpdaction=restart
dpddelay=30s
dpdtimeout=120s
Configuration on NODE 2 :
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=%forever
authby=secret
keyexchange=ikev2
ikedscp=101110
conn net-net
left=1.2.3.4
leftsubnet=192.168.55.0/24,192.168.33.0/24,192.168.66.0/24
leftfirewall=yes
right=%any
rightsubnet=192.168.22.0/24
rightid=netnetYomama
auto=start
When we experience packet drops, this strange logging appears. It seems
that the rekeying is happening several times on the same minute even
though it succeeds :
Nov 28 16:52:29 yomama charon: 06[KNL] creating delete job for
CHILD_SA ESP/0xc4bd0735/192.168.1.72
Nov 28 16:52:29 yomama charon: 06[JOB] CHILD_SA
ESP/0xc4bd0735/192.168.1.72 not found for delete
Nov 28 16:52:29 yomama charon: 14[IKE] giving up after 5 retransmits
Nov 28 16:52:29 yomama charon: 14[IKE] restarting CHILD_SA net-net
Nov 28 16:52:29 yomama charon: 14[IKE] initiating IKE_SA net-net[5]
to 1.2.3.4
Nov 28 16:52:29 yomama charon: 14[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
N(HASH_ALG) N(REDIR_SUP) ]
Nov 28 16:52:29 yomama charon: 14[NET] sending packet: from
192.168.1.72[500] to 1.2.3.4[500] (804 bytes)
Nov 28 16:52:29 yomama charon: 14[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 14[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 14[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 12[NET] received packet: from
1.2.3.4[500] to 192.168.1.72[500] (594 bytes)
Nov 28 16:52:29 yomama charon: 12[ENC] parsed IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(MULT_AUTH) ]
Nov 28 16:52:29 yomama charon: 12[IKE] local host is behind NAT,
sending keep alives
Nov 28 16:52:29 yomama charon: 12[IKE] authentication of
'netnetYomama' (myself) with pre-shared key
Nov 28 16:52:29 yomama charon: 12[IKE] establishing CHILD_SA net-net{2}
Nov 28 16:52:29 yomama charon: 12[ENC] generating IKE_AUTH request 1
[ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Nov 28 16:52:29 yomama charon: 12[NET] sending packet: from
192.168.1.72[4500] to 1.2.3.4[4500] (432 bytes)
Nov 28 16:52:29 yomama charon: 10[NET] received packet: from
1.2.3.4[4500] to 192.168.1.72[4500] (256 bytes)
Nov 28 16:52:29 yomama charon: 10[ENC] parsed IKE_AUTH response 1 [
IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Nov 28 16:52:29 yomama charon: 10[IKE] authentication of '1.2.3.4'
with pre-shared key successful
Nov 28 16:52:29 yomama charon: 10[IKE] IKE_SA net-net[5] established
between 192.168.1.72[netnetYomama]...1.2.3.4[1.2.3.4]
Nov 28 16:52:29 yomama charon: 10[IKE] scheduling rekeying in 3296s
Nov 28 16:52:29 yomama charon: 10[IKE] maximum IKE_SA lifetime 3476s
Nov 28 16:52:29 yomama charon: 10[IKE] CHILD_SA net-net{10}
established with SPIs cad1537d_i cfd5446b_o and TS 192.168.22.0/24
=== 192.168.33.0/24 192.168.55.0/24 192.168.66.0/24
Nov 28 16:52:29 yomama charon: 05[NET] received packet: from
1.2.3.4[4500] to 192.168.1.72[4500] (80 bytes)
Nov 28 16:52:29 yomama charon: 10[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 10[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 10[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 10[IKE] received AUTH_LIFETIME of
3371s, scheduling reauthentication in 3191s
Nov 28 16:52:29 yomama charon: 05[ENC] parsed INFORMATIONAL request
2 [ D ]
Nov 28 16:52:29 yomama charon: 05[IKE] received DELETE for IKE_SA
net-net[4]
Nov 28 16:52:29 yomama charon: 05[IKE] deleting IKE_SA net-net[4]
between 192.168.1.72[netnetYomama]...1.2.3.4[1.2.3.4]
Nov 28 16:52:29 yomama charon: 05[IKE] restarting CHILD_SA net-net
Nov 28 16:52:29 yomama charon: 05[IKE] initiating IKE_SA net-net[6]
to 1.2.3.4
Nov 28 16:52:29 yomama charon: 05[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
N(HASH_ALG) N(REDIR_SUP) ]
Nov 28 16:52:29 yomama charon: 05[NET] sending packet: from
192.168.1.72[500] to 1.2.3.4[500] (804 bytes)
Nov 28 16:52:29 yomama charon: 05[IKE] IKE_SA deleted
Nov 28 16:52:29 yomama charon: 05[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 05[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 05[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 05[ENC] generating INFORMATIONAL
response 2 [ ]
Nov 28 16:52:29 yomama charon: 05[NET] sending packet: from
192.168.1.72[4500] to 1.2.3.4[4500] (80 bytes)
Nov 28 16:52:29 yomama charon: 06[NET] received packet: from
1.2.3.4[4500] to 192.168.1.72[4500] (80 bytes)
Nov 28 16:52:29 yomama charon: 06[ENC] parsed INFORMATIONAL request
0 [ D ]
Nov 28 16:52:29 yomama charon: 06[IKE] received DELETE for IKE_SA
net-net[5]
Nov 28 16:52:29 yomama charon: 06[IKE] deleting IKE_SA net-net[5]
between 192.168.1.72[netnetYomama]...1.2.3.4[1.2.3.4]
Nov 28 16:52:29 yomama charon: 06[IKE] restarting CHILD_SA net-net
Nov 28 16:52:29 yomama charon: 06[IKE] initiating IKE_SA net-net[7]
to 1.2.3.4
Nov 28 16:52:29 yomama charon: 11[NET] received packet: from
1.2.3.4[500] to 192.168.1.72[500] (594 bytes)
Nov 28 16:52:29 yomama charon: 11[ENC] parsed IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(MULT_AUTH) ]
Nov 28 16:52:29 yomama charon: 11[IKE] local host is behind NAT,
sending keep alives
Nov 28 16:52:29 yomama charon: 11[IKE] authentication of
'netnetYomama' (myself) with pre-shared key
Nov 28 16:52:29 yomama charon: 11[IKE] establishing CHILD_SA net-net{2}
Nov 28 16:52:29 yomama charon: 11[ENC] generating IKE_AUTH request 1
[ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Nov 28 16:52:29 yomama charon: 11[NET] sending packet: from
192.168.1.72[4500] to 1.2.3.4[4500] (432 bytes)
Nov 28 16:52:29 yomama charon: 06[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
N(HASH_ALG) N(REDIR_SUP) ]
Nov 28 16:52:29 yomama charon: 06[NET] sending packet: from
192.168.1.72[500] to 1.2.3.4[500] (804 bytes)
Nov 28 16:52:29 yomama charon: 06[IKE] IKE_SA deleted
Nov 28 16:52:29 yomama charon: 06[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 06[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 06[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 06[ENC] generating INFORMATIONAL
response 0 [ ]
Nov 28 16:52:29 yomama charon: 06[NET] sending packet: from
192.168.1.72[4500] to 1.2.3.4[4500] (80 bytes)
Nov 28 16:52:29 yomama charon: 14[NET] received packet: from
1.2.3.4[4500] to 192.168.1.72[4500] (256 bytes)
Nov 28 16:52:29 yomama charon: 14[ENC] parsed IKE_AUTH response 1 [
IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Nov 28 16:52:29 yomama charon: 14[IKE] authentication of '1.2.3.4'
with pre-shared key successful
Nov 28 16:52:29 yomama charon: 14[IKE] IKE_SA net-net[6] established
between 192.168.1.72[netnetYomama]...1.2.3.4[1.2.3.4]
Nov 28 16:52:29 yomama charon: 14[IKE] scheduling rekeying in 3398s
Nov 28 16:52:29 yomama charon: 14[IKE] maximum IKE_SA lifetime 3578s
Nov 28 16:52:29 yomama charon: 06[NET] received packet: from
1.2.3.4[500] to 192.168.1.72[500] (594 bytes)
Nov 28 16:52:29 yomama charon: 06[ENC] parsed IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(MULT_AUTH) ]
Nov 28 16:52:29 yomama charon: 14[IKE] CHILD_SA net-net{11}
established with SPIs cc5e352f_i cf455c05_o and TS 192.168.22.0/24
=== 192.168.33.0/24 192.168.55.0/24 192.168.66.0/24
Nov 28 16:52:29 yomama charon: 14[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 14[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 14[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 14[IKE] received AUTH_LIFETIME of
3343s, scheduling reauthentication in 3163s
Nov 28 16:52:29 yomama charon: 06[IKE] local host is behind NAT,
sending keep alives
Nov 28 16:52:29 yomama charon: 06[IKE] authentication of
'netnetYomama' (myself) with pre-shared key
Nov 28 16:52:29 yomama charon: 06[IKE] establishing CHILD_SA net-net{2}
Nov 28 16:52:29 yomama charon: 06[ENC] generating IKE_AUTH request 1
[ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Nov 28 16:52:29 yomama charon: 06[NET] sending packet: from
192.168.1.72[4500] to 1.2.3.4[4500] (432 bytes)
Nov 28 16:52:29 yomama charon: 05[NET] received packet: from
1.2.3.4[4500] to 192.168.1.72[4500] (80 bytes)
Nov 28 16:52:29 yomama charon: 05[ENC] parsed INFORMATIONAL request
0 [ D ]
Nov 28 16:52:29 yomama charon: 05[IKE] received DELETE for IKE_SA
net-net[6]
Nov 28 16:52:29 yomama charon: 05[IKE] deleting IKE_SA net-net[6]
between 192.168.1.72[netnetYomama]...1.2.3.4[1.2.3.4]
Nov 28 16:52:29 yomama charon: 05[IKE] restarting CHILD_SA net-net
Nov 28 16:52:29 yomama charon: 05[IKE] initiating IKE_SA net-net[8]
to 1.2.3.4
Nov 28 16:52:29 yomama charon: 05[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
N(HASH_ALG) N(REDIR_SUP) ]
Nov 28 16:52:29 yomama charon: 05[NET] sending packet: from
192.168.1.72[500] to 1.2.3.4[500] (804 bytes)
Nov 28 16:52:29 yomama charon: 05[IKE] IKE_SA deleted
Nov 28 16:52:29 yomama charon: 05[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 05[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 05[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 05[ENC] generating INFORMATIONAL
response 0 [ ]
Nov 28 16:52:29 yomama charon: 05[NET] sending packet: from
192.168.1.72[4500] to 1.2.3.4[4500] (80 bytes)
Nov 28 16:52:29 yomama charon: 10[NET] received packet: from
1.2.3.4[4500] to 192.168.1.72[4500] (256 bytes)
Nov 28 16:52:29 yomama charon: 10[ENC] parsed IKE_AUTH response 1 [
IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Nov 28 16:52:29 yomama charon: 10[IKE] authentication of '1.2.3.4'
with pre-shared key successful
Nov 28 16:52:29 yomama charon: 10[IKE] IKE_SA net-net[7] established
between 192.168.1.72[netnetYomama]...1.2.3.4[1.2.3.4]
Nov 28 16:52:29 yomama charon: 10[IKE] scheduling rekeying in 3398s
Nov 28 16:52:29 yomama charon: 10[IKE] maximum IKE_SA lifetime 3578s
Nov 28 16:52:29 yomama charon: 10[IKE] CHILD_SA net-net{12}
established with SPIs ccb73d33_i c1271759_o and TS 192.168.22.0/24
=== 192.168.33.0/24 192.168.55.0/24 192.168.66.0/24
Nov 28 16:52:29 yomama charon: 10[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 10[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 10[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 10[IKE] received AUTH_LIFETIME of
3282s, scheduling reauthentication in 3102s
Nov 28 16:52:29 yomama charon: 08[NET] received packet: from
1.2.3.4[4500] to 192.168.1.72[4500] (80 bytes)
Nov 28 16:52:29 yomama charon: 08[ENC] parsed INFORMATIONAL request
0 [ D ]
Nov 28 16:52:29 yomama charon: 08[IKE] received DELETE for IKE_SA
net-net[7]
Nov 28 16:52:29 yomama charon: 08[IKE] deleting IKE_SA net-net[7]
between 192.168.1.72[netnetYomama]...1.2.3.4[1.2.3.4]
Nov 28 16:52:29 yomama charon: 08[IKE] restarting CHILD_SA net-net
Nov 28 16:52:29 yomama charon: 08[IKE] initiating IKE_SA net-net[9]
to 1.2.3.4
Nov 28 16:52:29 yomama charon: 14[NET] received packet: from
1.2.3.4[500] to 192.168.1.72[500] (594 bytes)
Nov 28 16:52:29 yomama charon: 14[ENC] parsed IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(MULT_AUTH) ]
Nov 28 16:52:29 yomama charon: 08[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
N(HASH_ALG) N(REDIR_SUP) ]
Nov 28 16:52:29 yomama charon: 08[NET] sending packet: from
192.168.1.72[500] to 1.2.3.4[500] (804 bytes)
Nov 28 16:52:29 yomama charon: 08[IKE] IKE_SA deleted
Nov 28 16:52:29 yomama charon: 08[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 08[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 08[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:29 yomama charon: 08[ENC] generating INFORMATIONAL
response 0 [ ]
Nov 28 16:52:29 yomama charon: 08[NET] sending packet: from
192.168.1.72[4500] to 1.2.3.4[4500] (80 bytes)
Nov 28 16:52:29 yomama charon: 14[IKE] local host is behind NAT,
sending keep alives
Nov 28 16:52:29 yomama charon: 14[IKE] authentication of
'netnetYomama' (myself) with pre-shared key
Nov 28 16:52:29 yomama charon: 14[IKE] establishing CHILD_SA net-net{3}
Nov 28 16:52:29 yomama charon: 14[ENC] generating IKE_AUTH request 1
[ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Nov 28 16:52:29 yomama charon: 14[NET] sending packet: from
192.168.1.72[4500] to 1.2.3.4[4500] (432 bytes)
Nov 28 16:52:30 yomama charon: 13[NET] received packet: from
1.2.3.4[500] to 192.168.1.72[500] (594 bytes)
Nov 28 16:52:30 yomama charon: 13[ENC] parsed IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(MULT_AUTH) ]
Nov 28 16:52:30 yomama charon: 13[IKE] local host is behind NAT,
sending keep alives
Nov 28 16:52:30 yomama charon: 13[IKE] authentication of
'netnetYomama' (myself) with pre-shared key
Nov 28 16:52:30 yomama charon: 13[IKE] establishing CHILD_SA net-net{4}
Nov 28 16:52:30 yomama charon: 13[ENC] generating IKE_AUTH request 1
[ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Nov 28 16:52:30 yomama charon: 13[NET] sending packet: from
192.168.1.72[4500] to 1.2.3.4[4500] (432 bytes)
Nov 28 16:52:30 yomama charon: 09[NET] received packet: from
1.2.3.4[4500] to 192.168.1.72[4500] (256 bytes)
Nov 28 16:52:30 yomama charon: 09[ENC] parsed IKE_AUTH response 1 [
IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Nov 28 16:52:30 yomama charon: 09[IKE] authentication of '1.2.3.4'
with pre-shared key successful
Nov 28 16:52:30 yomama charon: 09[IKE] IKE_SA net-net[8] established
between 192.168.1.72[netnetYomama]...1.2.3.4[1.2.3.4]
Nov 28 16:52:30 yomama charon: 09[IKE] scheduling rekeying in 3365s
Nov 28 16:52:30 yomama charon: 09[IKE] maximum IKE_SA lifetime 3545s
Nov 28 16:52:30 yomama charon: 09[IKE] CHILD_SA net-net{13}
established with SPIs c387f914_i c8e8c66a_o and TS 192.168.22.0/24
=== 192.168.33.0/24 192.168.55.0/24 192.168.66.0/24
Nov 28 16:52:30 yomama charon: 09[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:30 yomama charon: 09[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:30 yomama charon: 09[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:30 yomama charon: 09[IKE] received AUTH_LIFETIME of
3277s, scheduling reauthentication in 3097s
Nov 28 16:52:30 yomama charon: 11[NET] received packet: from
1.2.3.4[4500] to 192.168.1.72[4500] (256 bytes)
Nov 28 16:52:30 yomama charon: 11[ENC] parsed IKE_AUTH response 1 [
IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Nov 28 16:52:30 yomama charon: 11[IKE] authentication of '1.2.3.4'
with pre-shared key successful
Nov 28 16:52:30 yomama charon: 11[IKE] IKE_SA net-net[9] established
between 192.168.1.72[netnetYomama]...1.2.3.4[1.2.3.4]
Nov 28 16:52:30 yomama charon: 11[IKE] scheduling rekeying in 3245s
Nov 28 16:52:30 yomama charon: 11[IKE] maximum IKE_SA lifetime 3425s
Nov 28 16:52:30 yomama charon: 11[IKE] CHILD_SA net-net{14}
established with SPIs cb820599_i cbf3f93f_o and TS 192.168.22.0/24
=== 192.168.33.0/24 192.168.55.0/24 192.168.66.0/24
Nov 28 16:52:30 yomama charon: 11[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:30 yomama charon: 11[CHD] updown: /bin/sh: ipsec:
command not found
Nov 28 16:52:30 yomama charon: 11[CHD] updown: /bin/sh: ipsec:
command not found
Any idea, even suggestion on our ipsec.conf files that were made
according to several examples and might contain some absurd values, will
be greatly appreciated !
Thanks !
Hoggins!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171128/9d18bd97/attachment.sig>
More information about the Users
mailing list