iked(8) CREATE_CHILD_SA successful at initial connection time, fail at rekey interval

Tue, 26 Jan 2021 16:14:54 -0800 

Greetings,

Responder: OpenBSD 6.8 GENERIC.MP#4 amd64 iked
Initiator: pfSense  2.4.5-RELEASE-p1 (arm) [FreeBSD 11.3-STABLE]
(built on Tue Jun 02 17:45:24 EDT 2020) strongSwan 5.8.4

Using IKEv2 for tunnel from a residential gateway to passive iked
responder. Using RSA auth with PKI from ikectl(8). Phase 1 setup with
IKE SAs and initial child SAs and connection time flow insertion works
great, but subsequent rekey attempts after configured timeout fail out
with NO_PROPOSAL_CHOSEN:

### Initial setup (responder)
Jan 26 17:50:21 strannik iked[41041]: spi=0x6184b254a8e8d175: recv
IKE_SA_INIT req 0 peer x.y.113.164:500 local x.y.97.55:500, 464 bytes,
policy 'home'
Jan 26 17:50:21 strannik iked[41041]: spi=0x6184b254a8e8d175: send
IKE_SA_INIT res 0 peer x.y.113.164:500 local x.y.97.55:500, 471 bytes
Jan 26 17:50:21 strannik iked[41041]: spi=0x6184b254a8e8d175: recv
IKE_AUTH req 1 peer x.y.113.164:4500 local x.y.97.55:4500, 1472 bytes,
policy 'home'
Jan 26 17:50:21 strannik iked[41041]: spi=0x6184b254a8e8d175: send
IKE_AUTH res 1 peer x.y.113.164:4500 local x.y.97.55:4500, 1328 bytes,
NAT-T
Jan 26 17:50:21 strannik iked[41041]: spi=0x6184b254a8e8d175:
ikev2_childsa_enable: loaded SPIs: 0x57a023eb, 0xc696f983
Jan 26 17:50:21 strannik iked[41041]: spi=0x6184b254a8e8d175:
ikev2_childsa_enable: loaded flows: ESP-10.0.10.0/24=10.0.1.0/24(0),
ESP-10.0.10.0/24=10.0.4.0/24(0), ESP-10.0.10.0/24=10.0.7.0/24(0)
Jan 26 17:50:21 strannik iked[41041]: spi=0x6184b254a8e8d175:
established peer x.y.113.164:4500[ASN1_DN//CN=initiator] local
x.y.97.55:4500[ASN1_DN//CN=responder] policy 'home' as responder

### Rekey failure (responder)
Jan 26 18:48:30 strannik iked[41041]: ikev2_resp_create_child_sa: no
proposal chosen
Jan 26 18:48:30 strannik iked[41041]: spi=0x6184b254a8e8d175:
ikev2_log_proposal: ESP #1 ENCR=AES_CBC-256
Jan 26 18:48:30 strannik iked[41041]: spi=0x6184b254a8e8d175:
ikev2_log_proposal: ESP #1 INTEGR=HMAC_SHA2_256_128
Jan 26 18:48:30 strannik iked[41041]: spi=0x6184b254a8e8d175:
ikev2_log_proposal: ESP #1 DH=MODP_2048
Jan 26 18:48:30 strannik iked[41041]: spi=0x6184b254a8e8d175:
ikev2_log_proposal: ESP #1 ESN=NONE
Jan 26 18:48:30 strannik iked[41041]: spi=0x6184b254a8e8d175:
ikev2_add_error: NO_PROPOSAL_CHOSEN


During the failure state the tunnel stays established and both sides
report connected status, but no traffic flows over the tunnel.
Attempts to renegotiate phase 2 appears to happen every 10s after that
point.

# ikectl show sa
iked_sas: 0x9481f54d7d0 rspi 0xfd60f500455aa58f ispi
0xf2134f3e308e03da
x.y.97.55:4500->x.y.113.164:4500<ASN1_DN//CN=initiator>[] ESTABLISHED
r natt nexti 0x0 pol 0x94868ba9000
  sa_flows: 0x94858fa4c00 ESP out 10.0.10.0/24 -> 10.0.1.0/24 [0]@-1
(L) @0x9481f54d7d0
  sa_flows: 0x94858fa1400 ESP in 10.0.1.0/24 -> 10.0.10.0/24 [0]@-1
(L) @0x9481f54d7d0
  sa_flows: 0x94858fa4000 ESP out 10.0.10.0/24 -> 10.0.4.0/24 [0]@-1
(L) @0x9481f54d7d0
  sa_flows: 0x947e1ca9400 ESP in 10.0.4.0/24 -> 10.0.10.0/24 [0]@-1
(L) @0x9481f54d7d0
  sa_flows: 0x94858fa4400 ESP out 10.0.10.0/24 -> 10.0.7.0/24 [0]@-1
(L) @0x9481f54d7d0
  sa_flows: 0x94858fa1800 ESP in 10.0.7.0/24 -> 10.0.10.0/24 [0]@-1
(L) @0x9481f54d7d0
iked_flows: 0x94858fa1400 ESP in 10.0.1.0/24 -> 10.0.10.0/24 [0]@-1
(L) @0x9481f54d7d0
iked_flows: 0x947e1ca9400 ESP in 10.0.4.0/24 -> 10.0.10.0/24 [0]@-1
(L) @0x9481f54d7d0
iked_flows: 0x94858fa1800 ESP in 10.0.7.0/24 -> 10.0.10.0/24 [0]@-1
(L) @0x9481f54d7d0
iked_flows: 0x94858fa4c00 ESP out 10.0.10.0/24 -> 10.0.1.0/24 [0]@-1
(L) @0x9481f54d7d0
iked_flows: 0x94858fa4000 ESP out 10.0.10.0/24 -> 10.0.4.0/24 [0]@-1
(L) @0x9481f54d7d0
iked_flows: 0x94858fa4400 ESP out 10.0.10.0/24 -> 10.0.7.0/24 [0]@-1
(L) @0x9481f54d7d0
iked_dstid_sas: 0x9481f54d7d0 rspi 0xfd60f500455aa58f ispi
0xf2134f3e308e03da
x.y.97.55:4500->x.y.113.164:4500<ASN1_DN//CN=initiator>[] ESTABLISHED
r natt nexti 0x0 pol 0x94868ba9000

### Configuration, responder
ikev2 "home" passive esp inet \
        from 10.0.10.0/24 to 10.0.1.0/24 \
        from 10.0.10.0/24 to 10.0.4.0/24 \
        from 10.0.10.0/24 to 10.0.7.0/24 \
        local responder peer initiator \
        srcid "/CN=responder" dstid "/CN=initiator"


### dmesg, responder

OpenBSD 6.8 (GENERIC.MP) #4: Mon Jan 11 10:35:56 MST 2021
    
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4278042624 (4079MB)
avail mem = 4133351424 (3941MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5920 (10 entries)
bios0: vendor SeaBIOS version
"rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org" date 04/01/2014
bios0: QEMU Standard PC (i440FX + PIIX, 1996)
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel Xeon Processor (Skylake, IBRS), 2594.80 MHz, 06-55-04
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,AVX512F,AVX512DQ,CLWB,AVX512CD,AVX512BW,AVX512VL,PKU,IBRS,IBPB,SSBD,ARAT,XSAVEOPT,MELTDOWN
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 1000MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel Xeon Processor (Skylake, IBRS), 2594.61 MHz, 06-55-04
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,AVX512F,AVX512DQ,CLWB,AVX512CD,AVX512BW,AVX512VL,PKU,IBRS,IBPB,SSBD,ARAT,XSAVEOPT,MELTDOWN
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu1: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu1: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 20, 24 pins
acpihpet0 at acpi0: 100000000 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
"ACPI0006" at acpi0 not configured
acpipci0 at acpi0 PCI0
acpicmos0 at acpi0
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
cpu0: using Skylake AVX MDS workaround
pvbus0 at mainbus0: KVM
pvclock0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 2.5+> removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 56:00:02:c4:9a:25
virtio0: msix per-VQ
virtio1 at pci0 dev 4 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk0 at virtio1
scsibus2 at vioblk0: 1 targets
sd0 at scsibus2 targ 0 lun 0: <VirtIO, Block Device, >
sd0: 81920MB, 512 bytes/sector, 167772160 sectors
virtio1: msix shared
virtio2 at pci0 dev 5 function 0 "Qumranet Virtio Memory Balloon" rev 0x00
viomb0 at virtio2
virtio2: apic 0 int 10
virtio3 at pci0 dev 6 function 0 "Qumranet Virtio RNG" rev 0x00
viornd0 at virtio3
virtio3: apic 0 int 10
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev
1.00/1.00 addr 1
uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB
Tablet" rev 2.00/0.00 addr 2
uhidev0: iclass 3/0
ums0 at uhidev0: 3 buttons, Z dir
wsmouse1 at ums0 mux 0
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (e9f2e2b690e05a87.a) swap on sd0b dump on sd0b
fd0 at fdc0 drive 1: density unknown

-- 
Darren Spruell
[email protected]

Reply via email to