[strongSwan] Strange problem: SPIs not updated in kernel

Michael Schwartzkopff ms at sys4.de
Wed Aug 10 12:55:09 CEST 2022


Hi,


we have a strange problem with strongswan. It seems that the kernel 
knows about transform policies that strongswan does not know and thus 
does not update the xfrm sets.


Before:

src x.x.x.x/32 dst 192.2.0.0/24
   dir out priority 371327
   tmpl src x.x.x.x dst y.y.y.y
     proto esp spi 0x25320a67 reqid 1 mode tunnel
(...)
src 192.2.0.0/24 dst x.x.x.x/32
   dir in priority 371327
   tmpl src y.y.y.y dst x.x.x.x"
     proto esp reqid 1 mode tunnel"


Question: Why do we have in outbound SPI, but not inbound?


Then:

swanctl --terminate --child net-net
terminate failed: no matching SAs to terminate found


Renegotiation with IKE:

[IKE] initiating IKE_SA myvpn[1] to y.y.y.y
(...)
[IKE] establishing CHILD_SA net-net{1}
(...)
[IKE] authentication of 'y.y.y.y' with pre-shared key successful"
[IKE] IKE_SA myvpn[1] established between 
x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y]
(...)
[KNL] policy already exists, try to update it

[KNL] policy already exists, try to update it

[KNL] policy already exists, try to update it

(...)
[IKE] CHILD_SA net-net{1} established with SPIs c9034629_i 3fb0d026_o 
and TS x.x.x.x/32 === 192.2.0.0/24"
initiate completed successfully

ip xfrm policy"
src x.x.x.x/32 dst 192.2.0.0/24
   dir out priority 371327
   tmpl src x.x.x.x dst y.y.y.y
     proto esp spi 0x3fb0d026 reqid 1 mode tunnel
(...)
src 192.2.0.0/24 dst x.x.x.x/32
   dir in priority 371327 "
   tmpl src y.y.y.y dst x.x.x.x
     proto esp reqid 1 mode tunnel"

Why did stongswan update the OUT SPI from 0x25320a67 to 0x3fb0d026? See 
kernel log above about existing policy.

Why did strongswan did NOT update the IN SPI with 0xc9034629?


How to fix it?


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
  
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
  
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



More information about the Users mailing list