[strongSwan] local interface address change does not update the kernel GRE "trap" policy

Frederic Griffoul griffoul at gmail.com
Mon Mar 11 17:55:04 CET 2019 

Dear all

I'm using strongswan-5.7.2 on a Linux Debian 9 to support GRE-over-IPSEC
tunnels in a hub-and-spoke topology. The start_action is configured as
'trap' , with the traffic selector "dynamic[gre]" (see the attached spoke
swanctl.conf)

When the spoke wan interface address is changed, the GRE "trap" policy in
the kernel is not updated.

Before modifying the 'rt2p2' interface, which connects the machine to the
WAN:

root at stretch:/ivoctl/vagrant# ip x p l
src *192.168.2.2/32 <http://192.168.2.2/32>* dst 1.1.1.254/32 proto gre
        dir out priority 366976 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 1 mode transport
src 1.1.1.254/32 dst 192.168.2.2/32 proto gre
        dir in priority 366976 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 1 mode transport
root at stretch:/ivoctl/vagrant# ip a l dev rt2p2
11: rt2p2 at if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP group default qlen 1000
    link/ether 76:c0:22:e8:c2:42 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet *192.168.2.2/24 <http://192.168.2.2/24>* scope global rt2p2
       valid_lft forever preferred_lft forever
    inet6 fe80::74c0:22ff:fee8:c242/64 scope link
       valid_lft forever preferred_lft forever

After modifying the 'rt2p2' interface:
root at stretch:/ivoctl/vagrant# ip x p l
src *192.168.2.2/32 <http://192.168.2.2/32> *dst 1.1.1.254/32 proto gre
        dir out priority 366976 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 1 mode transport
src 1.1.1.254/32 dst 192.168.2.2/32 proto gre
        dir in priority 366976 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 1 mode transport
root at stretch:/ivoctl/vagrant# ip a l dev rt2p2
11: rt2p2 at if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP group default qlen 1000
    link/ether 76:c0:22:e8:c2:42 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet *192.168.2.18/24 <http://192.168.2.18/24>* scope global rt2p2
       valid_lft forever preferred_lft forever
    inet6 fe80::74c0:22ff:fee8:c242/64 scope link
       valid_lft forever preferred_lft forever

The fun part is that if the tunnel was already up, the "active" kernel
policy is correctly updated, but not the "trap" policy: after modifying the
'rt2p2' interface with an active tunnel, I see 2 policies (and the traffic
is correctly forwarded in the tunnel) :

root at stretch:/ivoctl/vagrant# ip x p l
src *192.168.2.18/32 <http://192.168.2.18/32>* dst 1.1.1.254/32 proto gre
        dir out priority 366975 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp *spi 0xc5da1439* reqid 1 mode transport
src 1.1.1.254/32 dst 192.168.2.18/32 proto gre
        dir in priority 366975 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 1 mode transport
src 1.1.1.254/32 dst 192.168.2.2/32 proto gre
        dir in priority 366976 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 1 mode transport
src *192.168.2.2/32 <http://192.168.2.2/32>* dst 1.1.1.254/32 proto gre
        dir out priority 366976 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 1 mode transport

So I actually discovered the issue on a real case when the tunnel went down
due to Internet connectivity issues.

Here's the relevant charon log (the connection's name is "lan2_dc") when
the address is changed:

Mar 11 16:44:44 06[KNL] <lan2_dc|1> querying policy 192.168.2.2/32[gre] ===
1.1.1.254/32[gre] out
Mar 11 16:44:48 06[KNL] <lan2_dc|1> no address found to reach 1.1.1.254/32
Mar 11 16:44:48 06[IKE] <lan2_dc|1> old path is not available anymore, try
to find another
Mar 11 16:44:48 06[IKE] <lan2_dc|1> looking for a route to 1.1.1.254 ...
Mar 11 16:44:48 06[KNL] <lan2_dc|1> using 192.168.2.18 as address to reach
1.1.1.254/32
Mar 11 16:44:48 06[IKE] <lan2_dc|1> reauthenticating IKE_SA due to address
change
Mar 11 16:44:48 06[KNL] <lan2_dc|1> using 192.168.2.18 as address to reach
1.1.1.254/32
Mar 11 16:44:48 06[IKE] <lan2_dc|1> reauthenticating IKE_SA lan2_dc[1]
Mar 11 16:44:48 06[IKE] <lan2_dc|1> queueing IKE_REAUTH task
Mar 11 16:44:48 06[IKE] <lan2_dc|1> activating new tasks
Mar 11 16:44:48 06[IKE] <lan2_dc|1>   activating IKE_REAUTH task
Mar 11 16:44:48 06[IKE] <lan2_dc|1> deleting IKE_SA lan2_dc[1] between
192.168.2.18[lan2]...1.1.1.254[dc]
Mar 11 16:44:48 06[IKE] <lan2_dc|1> IKE_SA lan2_dc[1] state change:
ESTABLISHED => DELETING
Mar 11 16:44:48 06[IKE] <lan2_dc|1> sending DELETE for IKE_SA lan2_dc[1]
Mar 11 16:44:48 06[NET] <lan2_dc|1> sending packet: from 192.168.2.18[500]
to 1.1.1.254[500] (65 bytes)
Mar 11 16:44:48 12[NET] <lan2_dc|1> received packet: from 1.1.1.254[500] to
192.168.2.18[500] (57 bytes)
Mar 11 16:44:48 12[IKE] <lan2_dc|1> IKE_SA deleted
Mar 11 16:44:48 12[IKE] <lan2_dc|1> restarting CHILD_SA lan2_dc
Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing IKE_VENDOR task
Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing IKE_INIT task
Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing IKE_NATD task
Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing IKE_CERT_PRE task
Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing IKE_AUTH task
Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing IKE_CERT_POST task
Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing IKE_CONFIG task
Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing IKE_AUTH_LIFETIME task
Mar 11 16:44:48 12[IKE] <lan2_dc|1> queueing CHILD_CREATE task
Mar 11 16:44:48 12[IKE] <lan2_dc|1> activating new tasks
Mar 11 16:44:48 12[IKE] <lan2_dc|1>   activating IKE_VENDOR task
Mar 11 16:44:48 12[IKE] <lan2_dc|1>   activating IKE_INIT task
Mar 11 16:44:48 12[IKE] <lan2_dc|1>   activating IKE_NATD task
Mar 11 16:44:48 12[IKE] <lan2_dc|1>   activating IKE_CERT_PRE task
Mar 11 16:44:48 12[IKE] <lan2_dc|1>   activating IKE_AUTH task
Mar 11 16:44:48 12[IKE] <lan2_dc|1>   activating IKE_CERT_POST task
Mar 11 16:44:48 12[IKE] <lan2_dc|1>   activating IKE_CONFIG task
Mar 11 16:44:48 12[IKE] <lan2_dc|1>   activating CHILD_CREATE task
Mar 11 16:44:48 12[IKE] <lan2_dc|1>   activating IKE_AUTH_LIFETIME task
Mar 11 16:44:48 12[IKE] <lan2_dc|1> initiating IKE_SA lan2_dc[2] to
1.1.1.254
Mar 11 16:44:48 12[IKE] <lan2_dc|1> IKE_SA lan2_dc[2] state change: CREATED
=> CONNECTING
Mar 11 16:44:48 12[CFG] <lan2_dc|1> configured proposals:
IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Mar 11 16:44:48 12[CFG] <lan2_dc|1> sending supported signature hash
algorithms: sha256 sha384 sha512 identity
Mar 11 16:44:48 12[NET] <lan2_dc|1> sending packet: from 192.168.2.18[500]
to 1.1.1.254[500] (296 bytes)
Mar 11 16:44:48 12[IKE] <lan2_dc|1> IKE_SA lan2_dc[1] state change:
DELETING => DESTROYING
Mar 11 16:44:48 12[CHD] <lan2_dc|1> CHILD_SA lan2_dc{2} state change:
INSTALLED => DESTROYING
Mar 11 16:44:48 12[KNL] <lan2_dc|1> deleting policy 192.168.2.2/32[gre] ===
1.1.1.254/32[gre] out
Mar 11 16:44:48 12[KNL] <lan2_dc|1> policy still used by another CHILD_SA,
not removed
Mar 11 16:44:48 12[KNL] <lan2_dc|1> updating policy 192.168.2.2/32[gre] ===
1.1.1.254/32[gre] out [priority 366976, refcount 1]
Mar 11 16:44:48 12[KNL] <lan2_dc|1> deleting policy 1.1.1.254/32[gre] ===
192.168.2.2/32[gre] in
Mar 11 16:44:48 12[KNL] <lan2_dc|1> policy still used by another CHILD_SA,
not removed
Mar 11 16:44:48 12[KNL] <lan2_dc|1> updating policy 1.1.1.254/32[gre] ===
192.168.2.2/32[gre] in [priority 366976, refcount 1]
Mar 11 16:44:48 12[KNL] <lan2_dc|1> deleting SAD entry with SPI cb35fa6f
Mar 11 16:44:48 12[KNL] <lan2_dc|1> deleted SAD entry with SPI cb35fa6f
Mar 11 16:44:48 12[KNL] <lan2_dc|1> deleting SAD entry with SPI c53758a8
Mar 11 16:44:48 12[KNL] <lan2_dc|1> deleted SAD entry with SPI c53758a8
Mar 11 16:44:48 02[NET] <lan2_dc|2> received packet: from 1.1.1.254[500] to
192.168.2.18[500] (296 bytes)
Mar 11 16:44:48 02[IKE] <lan2_dc|2> received FRAGMENTATION_SUPPORTED notify
Mar 11 16:44:48 02[IKE] <lan2_dc|2> received SIGNATURE_HASH_ALGORITHMS
notify
Mar 11 16:44:48 02[CFG] <lan2_dc|2> selecting proposal:
Mar 11 16:44:48 02[CFG] <lan2_dc|2>   proposal matches
Mar 11 16:44:48 02[CFG] <lan2_dc|2> received proposals:
IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Mar 11 16:44:48 02[CFG] <lan2_dc|2> configured proposals:
IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Mar 11 16:44:48 02[CFG] <lan2_dc|2> selected proposal:
IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Mar 11 16:44:48 02[CFG] <lan2_dc|2> received supported signature hash
algorithms: sha256 sha384 sha512 identity
Mar 11 16:44:48 02[IKE] <lan2_dc|2> local host is behind NAT, sending keep
alives
Mar 11 16:44:48 02[IKE] <lan2_dc|2> remote host is behind NAT
Mar 11 16:44:48 02[IKE] <lan2_dc|2> reinitiating already active tasks
Mar 11 16:44:48 02[IKE] <lan2_dc|2>   IKE_CERT_PRE task
Mar 11 16:44:48 02[IKE] <lan2_dc|2>   IKE_AUTH task
Mar 11 16:44:48 02[IKE] <lan2_dc|2> authentication of 'lan2' (myself) with
pre-shared key
Mar 11 16:44:48 02[IKE] <lan2_dc|2> successfully created shared key MAC
Mar 11 16:44:48 02[CFG] <lan2_dc|2> proposing traffic selectors for us:
Mar 11 16:44:48 02[CFG] <lan2_dc|2>  192.168.2.18/32[gre]
Mar 11 16:44:48 02[CFG] <lan2_dc|2> proposing traffic selectors for other:
Mar 11 16:44:48 02[CFG] <lan2_dc|2>  1.1.1.254/32[gre]
Mar 11 16:44:48 02[CFG] <lan2_dc|2> configured proposals:
ESP:AES_GCM_16_256/NO_EXT_SEQ
Mar 11 16:44:48 02[IKE] <lan2_dc|2> establishing CHILD_SA lan2_dc{3} reqid 1
Mar 11 16:44:48 02[KNL] <lan2_dc|2> got SPI ccf55d90
Mar 11 16:44:48 02[NET] <lan2_dc|2> sending packet: from 192.168.2.18[4500]
to 1.1.1.254[4500] (259 bytes)
Mar 11 16:44:48 09[NET] <lan2_dc|2> received packet: from 1.1.1.254[4500]
to 192.168.2.18[4500] (215 bytes)
Mar 11 16:44:48 09[IKE] <lan2_dc|2> received USE_TRANSPORT_MODE notify
Mar 11 16:44:48 09[IKE] <lan2_dc|2> authentication of 'dc' with pre-shared
key successful
Mar 11 16:44:48 09[IKE] <lan2_dc|2> IKE_SA lan2_dc[2] established between
192.168.2.18[lan2]...1.1
Mar 11 16:44:48 09[IKE] <lan2_dc|2> IKE_SA lan2_dc[2] state change:
CONNECTING => ESTABLISHED
Mar 11 16:44:48 09[IKE] <lan2_dc|2> scheduling rekeying in 3384s
Mar 11 16:44:48 09[IKE] <lan2_dc|2> maximum IKE_SA lifetime 3744s
Mar 11 16:44:48 09[CFG] <lan2_dc|2> selecting proposal:
Mar 11 16:44:48 09[CFG] <lan2_dc|2>   proposal matches
Mar 11 16:44:48 09[CFG] <lan2_dc|2> received proposals:
ESP:AES_GCM_16_256/NO_EXT_SEQ
Mar 11 16:44:48 09[CFG] <lan2_dc|2> configured proposals:
ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ
Mar 11 16:44:48 09[CFG] <lan2_dc|2> selected proposal:
ESP:AES_GCM_16_256/NO_EXT_SEQ
Mar 11 16:44:48 09[CFG] <lan2_dc|2> selecting traffic selectors for us:
Mar 11 16:44:48 09[CFG] <lan2_dc|2>  config: 192.168.2.18/32[gre],
received: 192.168.2.18/32[gre] => match: 192.168.2.18/32[gre]
Mar 11 16:44:48 09[CFG] <lan2_dc|2> selecting traffic selectors for other:
Mar 11 16:44:48 09[CFG] <lan2_dc|2>  config: 1.1.1.254/32[gre], received:
1.1.1.254/32[gre] => match: 1.1.1.254/32[gre]
Mar 11 16:44:48 09[CHD] <lan2_dc|2> CHILD_SA lan2_dc{3} state change:
CREATED => INSTALLING
Mar 11 16:44:48 09[CHD] <lan2_dc|2>   using AES_GCM_16 for encryption
Mar 11 16:44:48 09[CHD] <lan2_dc|2> adding inbound ESP SA
Mar 11 16:44:48 09[CHD] <lan2_dc|2>   SPI 0xccf55d90, src 1.1.1.254 dst
192.168.2.18
Mar 11 16:44:48 09[KNL] <lan2_dc|2> adding SAD entry with SPI ccf55d90 and
reqid {1}
Mar 11 16:44:48 09[KNL] <lan2_dc|2>   using encryption algorithm AES_GCM_16
with key size 288
Mar 11 16:44:48 09[KNL] <lan2_dc|2>   using replay window of 128 packets
Mar 11 16:44:48 09[KNL] <lan2_dc|2>   HW offload: auto
Mar 11 16:44:48 09[KNL] <lan2_dc|2> 192.168.2.18 is on interface rt2p2
Mar 11 16:44:48 09[KNL] <lan2_dc|2> HW offload is not supported by kernel
Mar 11 16:44:48 09[CHD] <lan2_dc|2> adding outbound ESP SA
Mar 11 16:44:48 09[CHD] <lan2_dc|2>   SPI 0xc5da1439, src 192.168.2.18 dst
1.1.1.254
Mar 11 16:44:48 09[KNL] <lan2_dc|2> adding SAD entry with SPI c5da1439 and
reqid {1}
Mar 11 16:44:48 09[KNL] <lan2_dc|2>   using encryption algorithm AES_GCM_16
with key size 288
Mar 11 16:44:48 09[KNL] <lan2_dc|2>   using replay window of 0 packets
Mar 11 16:44:48 09[KNL] <lan2_dc|2>   HW offload: auto
Mar 11 16:44:48 09[KNL] <lan2_dc|2> 192.168.2.18 is on interface rt2p2
Mar 11 16:44:48 09[KNL] <lan2_dc|2> HW offload is not supported by kernel
Mar 11 16:44:48 09[KNL] <lan2_dc|2> adding policy 1.1.1.254/32[gre] ===
192.168.2.18/32[gre] in [priority 366975, refcount 1]
Mar 11 16:44:48 09[KNL] <lan2_dc|2> adding policy 192.168.2.18/32[gre] ===
1.1.1.254/32[gre] out [priority 366975, refcount 1]
Mar 11 16:44:48 09[IKE] <lan2_dc|2> CHILD_SA lan2_dc{3} established with
SPIs ccf55d90_i c5da1439_o and TS 192.168.2.18/32[gre] === 1.1.1.254/32[gre]
Mar 11 16:44:48 09[CHD] <lan2_dc|2> CHILD_SA lan2_dc{3} state change:
INSTALLING => INSTALLED
Mar 11 16:44:48 09[IKE] <lan2_dc|2> activating new tasks
Mar 11 16:44:48 09[IKE] <lan2_dc|2> nothing to initiate

Let me know if further information is needed. Is there any workaround or is
it a known issue?

Best regards,

F.Griffoul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190311/86805e1a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: swanctl.conf
Type: application/octet-stream
Size: 943 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190311/86805e1a/attachment-0001.obj>

More information about the Users mailing list