[strongSwan] child_sa not dropped the ike_sa are deleted
Marco Berizzi
pupilla at hotmail.com
Mon Jan 29 11:41:28 CET 2018
Hello everyone,
I'm running strongswan 5.6.1 on slackware linux 64 bit
I have found a problem with my setup. The down_client:)
in the updown script is not executed when the IKE_SA is
dropped. Here is my config setup:
conn rw-generali
right=%any
compress=yes
leftupdown=/etc/ipsec.d/updown/_updown.strongswan.X11
keylife=10h
ikelifetime=12h
rekey=yes
keyingtries=1
ike=aes128-sha1-modp1024,aes128-sha1-modp2048,aes256-sha384-ecp384
esp=aes128-sha1-modp1024,aes128-sha1-modp2048,aes256-sha256-ecp384
rightsubnet=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10
conn rw-generali-10.180.0.0_internal
also=rw-generali
auto=add
leftsubnet=10.180.0.0/16
left=10.81.110.254
conn rw-generali-10.177.0.0_internal
also=rw-generali
auto=add
leftsubnet=10.177.0.0/16
left=10.81.110.254
Here is the relevant log when the IKE_SA is dropped:
Jan 26 21:38:14 Pleiadi charon: 08[IKE] initiator did not reauthenticate as requested
Jan 26 21:38:14 Pleiadi charon: 08[IKE] reauthenticating IKE_SA rw-generali-10.180.0.0_internal[17] actively
Jan 26 21:38:14 Pleiadi charon: 08[IKE] initiating Main Mode IKE_SA rw-generali-10.180.0.0_internal[94] to 10.81.126.175
Jan 26 21:38:14 Pleiadi charon: 08[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Jan 26 21:38:14 Pleiadi charon: 08[NET] sending packet: from 10.81.110.254[500] to 10.81.126.175[500] (312 bytes)
Jan 26 21:38:18 Pleiadi charon: 15[IKE] sending retransmit 1 of request message ID 0, seq 1
Jan 26 21:38:18 Pleiadi charon: 15[NET] sending packet: from 10.81.110.254[500] to 10.81.126.175[500] (312 bytes)
Jan 26 21:38:25 Pleiadi charon: 12[IKE] sending retransmit 2 of request message ID 0, seq 1
Jan 26 21:38:25 Pleiadi charon: 12[NET] sending packet: from 10.81.110.254[500] to 10.81.126.175[500] (312 bytes)
Jan 26 21:38:38 Pleiadi charon: 13[IKE] sending retransmit 3 of request message ID 0, seq 1
Jan 26 21:38:38 Pleiadi charon: 13[NET] sending packet: from 10.81.110.254[500] to 10.81.126.175[500] (312 bytes)
[...]
Jan 26 21:47:14 Pleiadi charon: 13[IKE] deleting IKE_SA rw-generali-10.180.0.0_internal[17] between 10.81.110.254[CN=strongSWAN]...10.81.126.175[CN=Maddalena]
Jan 26 21:47:14 Pleiadi charon: 13[IKE] sending DELETE for IKE_SA rw-generali-10.180.0.0_internal[17]
Jan 26 21:47:14 Pleiadi charon: 13[ENC] generating INFORMATIONAL_V1 request 1418042332 [ HASH D ]
Jan 26 21:47:14 Pleiadi charon: 13[NET] sending packet: from 10.81.110.254[500] to 10.81.126.175[500] (92 bytes)
As you may see the mobile user CHILD_SA are not dropped
because strongswan is not logging the '-' at Jan 26 21:47:14
Only the IKE_SA is dropped.
Jan 26 17:57:45 Pleiadi vpn: + CN=Maddalena 10.81.126.175 -- 10.81.110.254 == 10.180.0.0/16
Jan 26 17:58:08 Pleiadi vpn: + CN=Maddalena 10.81.126.175 -- 10.81.110.254 == 10.177.0.0/16
Jan 29 08:59:30 Pleiadi vpn: + CN=Maddalena 10.81.126.175 -- 10.81.110.254 == 10.180.0.0/16
Jan 29 09:09:34 Pleiadi vpn: + CN=Maddalena 10.81.126.175 -- 10.81.110.254 == 10.177.0.0/16
Jan 29 09:15:20 Pleiadi vpn: - CN=Maddalena 10.81.126.175 -- 10.81.110.254 == 10.177.0.0/16
Jan 29 09:18:21 Pleiadi vpn: + CN=Maddalena 10.81.126.175 -- 10.81.110.254 == 10.177.0.0/16
Jan 29 09:23:55 Pleiadi vpn: - CN=Maddalena 10.81.126.175 -- 10.81.110.254 == 10.177.0.0/16
Jan 29 09:58:09 Pleiadi vpn: + CN=Maddalena 10.81.126.175 -- 10.81.110.254 == 10.177.0.0/16
Is the the expected behaviour?
More information about the Users
mailing list