[strongSwan] unstable tunnels

Thu Feb 27 15:05:11 CET 2020

I have an issue that has suddenly begun happening on a tunnel  that has been running for about 6 months.  There are about 70 mappings on this device to the same peer.  When they go through rekey, only about 16 of them survive.  Here is a snippet in the logs of what I see when this is happening.  Anyone have any ideas what might cause this?  I'm confused by these "no matching child SA" messages.  I thought that meant the other side doesn't have this mapping but they do.

Feb 27 13:54:34 ip-2.2.2.2 charon: 06[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (76 bytes)
Feb 27 13:54:34 ip-2.2.2.2 charon: 06[ENC] parsed INFORMATIONAL_V1 request 645458918 [ HASH D ]
Feb 27 13:54:34 ip-2.2.2.2 charon: 06[IKE] received DELETE for ESP CHILD_SA with SPI 396b2973
Feb 27 13:54:34 ip-2.2.2.2 charon: 06[IKE] CHILD_SA not found, ignored
Feb 27 13:54:34 ip-2.2.2.2 charon: 05[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (172 bytes)
Feb 27 13:54:34 ip-2.2.2.2 charon: 05[ENC] parsed QUICK_MODE request 3880286434 [ HASH SA No ID ID ]
Feb 27 13:54:34 ip-2.2.2.2 charon: 05[IKE] no matching CHILD_SA config found for 10.88.16.0/22 === 172.28.0.0/16
Feb 27 13:54:34 ip-2.2.2.2 charon: 05[ENC] generating INFORMATIONAL_V1 request 4022714658 [ HASH N(INVAL_ID) ]
Feb 27 13:54:34 ip-2.2.2.2 charon: 05[NET] sending packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (76 bytes)
Feb 27 13:54:36 ip-2.2.2.2 charon: 13[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (172 bytes)
Feb 27 13:54:36 ip-2.2.2.2 charon: 13[ENC] parsed QUICK_MODE request 1802074258 [ HASH SA No ID ID ]
Feb 27 13:54:36 ip-2.2.2.2 charon: 13[ENC] received HASH payload does not match
Feb 27 13:54:36 ip-2.2.2.2 charon: 13[IKE] integrity check failed
Feb 27 13:54:36 ip-2.2.2.2 charon: 13[ENC] generating INFORMATIONAL_V1 request 2322290261 [ HASH N(INVAL_HASH) ]
Feb 27 13:54:36 ip-2.2.2.2 charon: 13[NET] sending packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (76 bytes)
Feb 27 13:54:36 ip-2.2.2.2 charon: 13[IKE] QUICK_MODE request with message ID 1802074258 processing failed
Feb 27 13:54:37 ip-2.2.2.2 charon: 08[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (172 bytes)
Feb 27 13:54:37 ip-2.2.2.2 charon: 08[ENC] parsed QUICK_MODE request 2672322312 [ HASH SA No ID ID ]
Feb 27 13:54:37 ip-2.2.2.2 charon: 08[ENC] received HASH payload does not match
Feb 27 13:54:37 ip-2.2.2.2 charon: 08[IKE] integrity check failed
Feb 27 13:54:37 ip-2.2.2.2 charon: 08[ENC] generating INFORMATIONAL_V1 request 1930495837 [ HASH N(INVAL_HASH) ]
Feb 27 13:54:37 ip-2.2.2.2 charon: 08[NET] sending packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (76 bytes)
Feb 27 13:54:37 ip-2.2.2.2 charon: 08[IKE] QUICK_MODE request with message ID 2672322312 processing failed
Feb 27 13:54:39 ip-2.2.2.2 charon: 10[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (172 bytes)
Feb 27 13:54:39 ip-2.2.2.2 charon: 10[ENC] parsed QUICK_MODE request 449999052 [ HASH SA No ID ID ]
Feb 27 13:54:39 ip-2.2.2.2 charon: 10[IKE] no matching CHILD_SA config found for 10.65.32.0/20 === 172.28.0.0/16
Feb 27 13:54:39 ip-2.2.2.2 charon: 10[ENC] generating INFORMATIONAL_V1 request 1713249855 [ HASH N(INVAL_ID) ]
Feb 27 13:54:39 ip-2.2.2.2 charon: 10[NET] sending packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (76 bytes)
Feb 27 13:54:40 ip-2.2.2.2 charon: 09[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (76 bytes)
Feb 27 13:54:40 ip-2.2.2.2 charon: 09[ENC] parsed INFORMATIONAL_V1 request 1348181082 [ HASH D ]
Feb 27 13:54:40 ip-2.2.2.2 charon: 09[IKE] received DELETE for ESP CHILD_SA with SPI 55e242ba
Feb 27 13:54:40 ip-2.2.2.2 charon: 09[IKE] CHILD_SA not found, ignored

Doug Tucker
Sr. Director of Networking & Linux Operations

o: 817.975.5832  |  m: 817.975.5832

e: doug.tucker at navigaglobal.com

[cid:9b32ac9a-70da-4551-bc68-ebd42d85e6d4]<https://navigaglobal.com/>

[cid:567b206d-0003-40c4-b48c-57d4fd43b13f]<https://www.facebook.com/navigaglobal>  [cid:1278c334-c0e6-4ff5-a3a0-969694051463] <https://twitter.com/navigaglobal>   [cid:5996635e-09bc-4456-a156-ef19bb04b2d5] <https://www.linkedin.com/company/navigaglobal/about/>

Newscycle Solutions is now Naviga. Learn more.<https://navigaglobal.com/>

CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200227/2a976e4e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-f30wf4x0.png
Type: image/png
Size: 18608 bytes
Desc: Outlook-f30wf4x0.png
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200227/2a976e4e/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-azpyst4f.png
Type: image/png
Size: 435 bytes
Desc: Outlook-azpyst4f.png
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200227/2a976e4e/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-l0xgl41z.png
Type: image/png
Size: 589 bytes
Desc: Outlook-l0xgl41z.png
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200227/2a976e4e/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-k2kqp253.png
Type: image/png
Size: 558 bytes
Desc: Outlook-k2kqp253.png
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200227/2a976e4e/attachment-0007.png>