[strongSwan] infinite loop for ipsec up/down command

Marco Berizzi pupilla at hotmail.com
Fri Mar 23 15:21:01 CET 2018 

Hello everyone,

I'm running strongswan 5.6.2 on Slackware linux 64 bit

I'm experimenting a pretty strange behavior with an
ipsec tunnel.

When I issue for the first time the 'ipsec up' command
I get:

ipsec up customer-10.14.143.0

initiating IKE_SA customer-10.14.143.0[21570] to 193.104.231.4
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 205.223.229.254[500] to 193.104.231.4[500] (844 bytes)
received packet: from 193.104.231.4[500] to 205.223.229.254[500] (268 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) ]
remote host is behind NAT
authentication of '205.223.229.254' (myself) with pre-shared key
establishing CHILD_SA customer-10.14.143.0{13527}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 205.223.229.254[4500] to 193.104.231.4[4500] (384 bytes)
received packet: from 193.104.231.4[4500] to 205.223.229.254[4500] (272 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(CRASH_DET) SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
authentication of '193.104.231.4' with pre-shared key successful
IKE_SA customer-10.14.143.0[21570] established between 205.223.229.254[205.223.229.254]...193.104.231.4[193.104.231.4]
scheduling reauthentication in 13519s
maximum IKE_SA lifetime 14059s
received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
CHILD_SA customer-10.14.143.0{13527} established with SPIs cce55dc7_i f0a09095_o and TS 10.68.63.3/32 === 10.14.143.0/24
connection 'customer-10.14.143.0' established successfully

if I try to run again the same 'ipsec up', strongswan
will enter in an infinite loop:

ipsec up customer-10.14.143.0

establishing CHILD_SA customer-10.14.143.0{13530}
generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
sending packet: from 205.223.229.254[4500] to 193.104.231.4[4500] (416 bytes)
received packet: from 193.104.231.4[4500] to 205.223.229.254[4500] (80 bytes)
parsed CREATE_CHILD_SA response 2 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_384, it requested ECP_384
establishing CHILD_SA customer-10.14.143.0{13531}
generating CREATE_CHILD_SA request 3 [ SA No KE TSi TSr ]
sending packet: from 205.223.229.254[4500] to 193.104.231.4[4500] (416 bytes)
received packet: from 193.104.231.4[4500] to 205.223.229.254[4500] (80 bytes)
parsed CREATE_CHILD_SA response 3 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_384, it requested ECP_384
establishing CHILD_SA customer-10.14.143.0{13532}
generating CREATE_CHILD_SA request 4 [ SA No KE TSi TSr ]
sending packet: from 205.223.229.254[4500] to 193.104.231.4[4500] (416 bytes)
received packet: from 193.104.231.4[4500] to 205.223.229.254[4500] (80 bytes)
parsed CREATE_CHILD_SA response 4 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_384, it requested ECP_384
establishing CHILD_SA customer-10.14.143.0{13533}
generating CREATE_CHILD_SA request 5 [ SA No KE TSi TSr ]
sending packet: from 205.223.229.254[4500] to 193.104.231.4[4500] (416 bytes)
received packet: from 193.104.231.4[4500] to 205.223.229.254[4500] (80 bytes)
parsed CREATE_CHILD_SA response 5 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_384, it requested ECP_384
establishing CHILD_SA customer-10.14.143.0{13534}
generating CREATE_CHILD_SA request 6 [ SA No KE TSi TSr ]
sending packet: from 205.223.229.254[4500] to 193.104.231.4[4500] (416 bytes)
received packet: from 193.104.231.4[4500] to 205.223.229.254[4500] (80 bytes)
parsed CREATE_CHILD_SA response 6 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_384, it requested ECP_384
establishing CHILD_SA customer-10.14.143.0{13535}
[...]

till I press ctrl+C

If I try to issue the 'ipsec down' command I get the
same infinite output:

ipsec down customer-10.14.143.0

received packet: from 193.104.231.4[4500] to 205.223.229.254[4500] (80 bytes)
parsed CREATE_CHILD_SA response 353 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_384, it requested ECP_384
establishing CHILD_SA customer-10.14.143.0{13882}
generating CREATE_CHILD_SA request 354 [ SA No KE TSi TSr ]
sending packet: from 205.223.229.254[4500] to 193.104.231.4[4500] (416 bytes)
received packet: from 193.104.231.4[4500] to 205.223.229.254[4500] (80 bytes)
parsed CREATE_CHILD_SA response 354 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_384, it requested ECP_384
establishing CHILD_SA customer-10.14.143.0{13883}
generating CREATE_CHILD_SA request 355 [ SA No KE TSi TSr ]
sending packet: from 205.223.229.254[4500] to 193.104.231.4[4500] (416 bytes)
received packet: from 193.104.231.4[4500] to 205.223.229.254[4500] (80 bytes)
parsed CREATE_CHILD_SA response 355 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_384, it requested ECP_384
establishing CHILD_SA customer-10.14.143.0{13884}
generating CREATE_CHILD_SA request 356 [ SA No KE TSi TSr ]
sending packet: from 205.223.229.254[4500] to 193.104.231.4[4500] (416 bytes)
received packet: from 193.104.231.4[4500] to 205.223.229.254[4500] (80 bytes)
parsed CREATE_CHILD_SA response 356 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_384, it requested ECP_384
establishing CHILD_SA customer-10.14.143.0{13885}
generating CREATE_CHILD_SA request 357 [ SA No KE TSi TSr ]
sending packet: from 205.223.229.254[4500] to 193.104.231.4[4500] (416 bytes)
received packet: from 193.104.231.4[4500] to 205.223.229.254[4500] (80 bytes)
parsed CREATE_CHILD_SA response 357 [ N(INVAL_KE) ]
[...]

Could it be a strongswan bug?

More information about the Users mailing list