[strongSwan] IKE update does not correctly change the SA traffic selector in GRE transport mode
Frederic Griffoul
griffoul at gmail.com
Wed Oct 31 15:03:17 CET 2018
Dear all,
I'm testing strongswan-5.7.1 on a Linux Ubuntu-16.04 server to support
GRE-over-IPSEC tunnels with remote peers, the public address of which may
change from time to time. I thus use 'dynamic[gre]' traffic selector and
transport mode tunnels. When the remote peer address changes, strongswan
correctly processes the XFRM_MSG_MAPPING message, and updates the xfrm SA
and SP in the Linux kernel, except the traffic selector. This results
in XfrmInStateMismatch errors when receiving packets from the remote peers.
I've attached the swanctl.conf and the charon logs.
Is it a known issue? Or did I miss something?
Before changing the remote peer address, remote address is 2.2.2.254
root at ubuntu-xenial:/ivoctl/vagrant# swanctl -l
dc_lan2: #1, ESTABLISHED, IKEv2, 17f7b73e0a357e0d_i 2136e2e04936ce5e_r*
local 'dc' @ 192.168.2.1[4500]
remote 'lan2' @ 2.2.2.254[4500]
AES_GCM_16-256/PRF_HMAC_SHA2_384/ECP_384
established 439s ago
lan2_dc: #1, reqid 1, INSTALLED, TRANSPORT-in-UDP, ESP:AES_GCM_16-256
installed 439s ago
in c5dd4c0b, 38544 bytes, 438 packets, 0s ago
out c4361bc0, 38544 bytes, 438 packets, 0s ago
local 192.168.2.1/32[gre]
remote 2.2.2.254/32[gre]
root at ubuntu-xenial:/ivoctl/vagrant# ip -s x s l
src 192.168.2.1 dst 2.2.2.254
proto esp spi 0xc4361bc0(3291880384) reqid 1(0x00000001) mode
transport
replay-window 0 seq 0x00000000 flag (0x00000000)
aead rfc4106(gcm(aes))
0x2db3e71cf4ee4d1600ff0b173b2480573b1ad30a3c3b8bd4b47f2d7cbb7fbfb5c41e3e6d
(288 bits) 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x1be, bitmap 0x00000000
sel src 192.168.2.1/32 dst 2.2.2.254/32 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
39248(bytes), 446(packets)
add 2018-10-31 13:31:09 use 2018-10-31 13:31:10
stats:
replay-window 0 replay 0 failed 0
src 2.2.2.254 dst 192.168.2.1
proto esp spi 0xc5dd4c0b(3319614475) reqid 1(0x00000001) mode
transport
replay-window 0 seq 0x00000000 flag (0x00000000)
aead rfc4106(gcm(aes))
0x66973d4ffe9290d89a4e5ad49c820daf586d4e4a8d745d81ef77f13177620036614c6da3
(288 bits) 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay esn context:
seq-hi 0x0, seq 0x1be, oseq-hi 0x0, oseq 0x0
replay_window 128, bitmap-length 4
ffffffff ffffffff ffffffff ffffffff
sel src 2.2.2.254/32 dst 192.168.2.1/32 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
39248(bytes), 446(packets)
add 2018-10-31 13:31:09 use 2018-10-31 13:31:10
stats:
replay-window 0 replay 0 failed 0
After changing the address from 2.2.2.254 to 2.2.2.222, everything is
updated, except the SA selector:
root at ubuntu-xenial:/ivoctl/vagrant# swanctl -l
dc_lan2: #1, ESTABLISHED, IKEv2, 17f7b73e0a357e0d_i 2136e2e04936ce5e_r*
local 'dc' @ 192.168.2.1[4500]
remote 'lan2' @ 2.2.2.222[4500]
AES_GCM_16-256/PRF_HMAC_SHA2_384/ECP_384
established 529s ago
lan2_dc: #1, reqid 1, INSTALLED, TRANSPORT-in-UDP, ESP:AES_GCM_16-256
installed 529s ago
in c5dd4c0b, 45848 bytes, 521 packets, 58s ago
out c4361bc0, 42504 bytes, 483 packets, 38s ago
local 192.168.2.1/32[gre]
remote 2.2.2.222/32[gre]
root at ubuntu-xenial:/ivoctl/vagrant# ip -s x s l
src 192.168.2.1 dst 2.2.2.222
proto esp spi 0xc4361bc0(3291880384) reqid 1(0x00000001) mode
transport
replay-window 0 seq 0x00000000 flag (0x00000000)
aead rfc4106(gcm(aes))
0x2db3e71cf4ee4d1600ff0b173b2480573b1ad30a3c3b8bd4b47f2d7cbb7fbfb5c41e3e6d
(288 bits) 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x1e3, bitmap 0x00000000
*sel src 192.168.2.1/32 <http://192.168.2.1/32> dst 2.2.2.254/32
<http://2.2.2.254/32> uid 0*
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
42504(bytes), 483(packets)
add 2018-10-31 13:31:09 use 2018-10-31 13:31:10
stats:
replay-window 0 replay 0 failed 0
src 2.2.2.222 dst 192.168.2.1
proto esp spi 0xc5dd4c0b(3319614475) reqid 1(0x00000001) mode
transport
replay-window 0 seq 0x00000010 flag (0x00000000)
aead rfc4106(gcm(aes))
0x66973d4ffe9290d89a4e5ad49c820daf586d4e4a8d745d81ef77f13177620036614c6da3
(288 bits) 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay esn context:
seq-hi 0x0, seq 0x210, oseq-hi 0x0, oseq 0x0
replay_window 128, bitmap-length 4
ffffffff ffffffff ffffffff ffffffff
*sel src 2.2.2.254/32 <http://2.2.2.254/32> dst 192.168.2.1/32
<http://192.168.2.1/32> uid 0*
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
46464(bytes), 528(packets)
add 2018-10-31 13:31:09 use 2018-10-31 13:31:10
stats:
replay-window 0 replay 0 failed 0
Best regards,
Fred.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181031/fc7cfae8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: charon.log
Type: application/octet-stream
Size: 43023 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181031/fc7cfae8/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: swanctl.conf
Type: application/octet-stream
Size: 1422 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181031/fc7cfae8/attachment-0003.obj>
More information about the Users
mailing list