[strongSwan] Multiple ChildSA
Naveen Neelakanta
naveen.b.neelakanta at gmail.com
Tue May 8 20:36:39 CEST 2018
Hi All,
I am using the ikev1, i see this multiple ChildSA INSTALLED , i have
enabled make before break.
I am not to reproduce this issue. But when this happens my traffic is
effected. Below is the config that i am trying to reproduce.
{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid": "@Dr_an",
"text": "06[CFG] conn sl20:", "_fac": "local1", "_level": "info" }
{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@07VRwC", "text": "06[CFG] child sl20childsa:", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@iFuhtB", "text": "06[CFG] rekey_time = 100", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@Py5B_C", "text": "06[CFG] life_time = 150", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@RscO8D", "text": "06[CFG] rand_time = 50", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@kOwrfC", "text": "06[CFG] rekey_bytes = 0", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@NcePjB", "text": "06[CFG] life_bytes = 0", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@ySflTB", "text": "06[CFG] rand_bytes = 0", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@7bKJCD", "text": "06[CFG] rekey_packets = 0", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid": "@ounha",
"text": "06[CFG] life_packets = 0", "_fac": "local1", "_level": "info" }
{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@pibZ9D", "text": "06[CFG] rand_packets = 0", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@GKtK2D", "text": "06[CFG] updown = (null)", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@7v8q5C", "text": "06[CFG] hostaccess = 0", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@E6R_wB", "text": "06[CFG] ipcomp = 0", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@OXIEO",
"text": "06[CFG] mode = TUNNEL", "_fac": "local1", "_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@aZ8jZB", "text": "06[CFG] policies = 1", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@kZYOj",
"text": "06[CFG] policies_fwd_out = 0", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@WR3uwD", "text": "06[CFG] dpd_action = restart", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@-yRFqD", "text": "06[CFG] start_action = clear", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@RfO9GD", "text": "06[CFG] close_action = clear", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@CetbUC", "text": "06[CFG] reqid = 0", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@CGw7NC", "text": "06[CFG] tfc = 0", "_fac": "local1", "_level": "info"
}
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@kXj8sD", "text": "06[CFG] priority = 0", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@b4xDE",
"text": "06[CFG] interface = (null)", "_fac": "local1", "_level": "info"
}
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@3fu6-B", "text": "06[CFG] mark_in = 20/4294967295", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@obPY4B", "text": "06[CFG] mark_in_sa = 1", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@oXu69C", "text": "06[CFG] mark_out = 20/4294967295", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@zw-OuB", "text": "06[CFG] inactivity = 0", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@Vx5JF",
"text": "06[CFG] proposals =
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@zuQWzD", "text": "06[CFG] local_ts = 0.0.0.0/0", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@6d6OxD", "text": "06[CFG] remote_ts = 0.0.0.0/0", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@sBphOC", "text": "06[CFG] hw_offload = 0", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@nkKZZ",
"text": "06[CFG] sha256_96 = 0", "_fac": "local1", "_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@E2HSu",
"text": "06[CFG] version = 1", "_fac": "local1", "_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@nZsV-D", "text": "06[CFG] local_addrs = 10.24.18.209", "_fac":
"local1", "_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@GahZ3C", "text": "06[CFG] remote_addrs = 199.168.148.132", "_fac":
"local1", "_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@CQgdxB", "text": "06[CFG] local_port = 500", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@oKxHHB", "text": "06[CFG] remote_port = 500", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@IAVUdB", "text": "06[CFG] send_certreq = 1", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@Mr6lAD", "text": "06[CFG] send_cert = CERT_SEND_IF_ASKED", "_fac":
"local1", "_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@p0p_7D", "text": "06[CFG] mobike = 1", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@-gM2eB", "text": "06[CFG] aggressive = 1", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@9XezrC", "text": "06[CFG] dscp = 0x00", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@GVWNi",
"text": "06[CFG] encap = 1", "_fac": "local1", "_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@OhCYHB", "text": "06[CFG] dpd_delay = 0", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@HziRLC", "text": "06[CFG] dpd_timeout = 0", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@LX0b-C", "text": "06[CFG] fragmentation = 2", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@_QNrHB", "text": "06[CFG] unique = UNIQUE_NO", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@ON2SDD", "text": "06[CFG] keyingtries = 0", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@QzwJuB", "text": "06[CFG] reauth_time = 0", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@57mOTD", "text": "06[CFG] rekey_time = 150", "_fac": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@SXfBlD", "text": "06[CFG] over_time = 15", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@hPL6KD", "text": "06[CFG] rand_time = 15", "_fac": "local1", "_level":
"info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@sp5P5C", "text": "06[CFG] proposals =
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024", "_fac": "local1",
"_level": "info" }
I also see multiple solution to this issue, below are some of them, i want
to first reproduce this issue to give a try on the solutions.
*1) reauth=no*
*2) uniqueids = yes*
3) start_action = none
*4) delete_rekeyed = yes*
Any input to reproduce this issue, will be appreciated.
Regards,
Naveen
On Fri, May 4, 2018 at 6:39 PM, Naveen Neelakanta <
naveen.b.neelakanta at gmail.com> wrote:
> Hi
>
> I have a ikev1 session up, however i also see multiple child SA, if leave
> the seesion for a log run. Would like to understand on this scenario and
> should i take any actions if these scenarios is seen .
>
> sl1childsa: #726, reqid 368, INSTALLED, TUNNEL-in-UDP,
> ESP:AES_CBC-128/HMAC_SHA1_96
> installed 6854s ago, rekeying in 20343s, expires in 21947s
> in 87e44243 (0x00000001), 0 bytes, 0 packets
> out 01ba724f (0x00000001), 0 bytes, 0 packets, 118s ago
> local 0.0.0.0/0
> remote 0.0.0.0/0
> sl1childsa: #727, reqid 368, INSTALLED, TUNNEL-in-UDP,
> ESP:AES_CBC-128/HMAC_SHA1_96
> installed 6853s ago, rekeying in 20334s, expires in 21947s
> in ad7acce9 (0x00000001), 0 bytes, 0 packets
> out 0602acec (0x00000001), 0 bytes, 0 packets, 118s ago
> local 0.0.0.0/0
> remote 0.0.0.0/0
> sl1childsa: #728, reqid 368, INSTALLED, TUNNEL-in-UDP,
> ESP:AES_CBC-128/HMAC_SHA1_96
> installed 6853s ago, rekeying in 20261s, expires in 21947s
> in 884e04f1 (0x00000001), 504 bytes, 6 packets, 119s ago
> out 0a8309e2 (0x00000001), 588 bytes, 7 packets, 118s ago
> local 0.0.0.0/0
> remote 0.0.0.0/0
>
> I believe in ikev1 there is no rekey , its just reauth.
>
> Regards,
> Naveen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180508/b19cbea3/attachment-0001.html>
More information about the Users
mailing list