[Swan-dev] Bogus "established IKE SA" messages

Paul Wouters Mon, 05 Apr 2021 16:03:34 -0700

Eg see this log:

Apr  5 18:56:32.909849: "west" #4: sent CREATE_CHILD_SA request to rekey IPsec 
SA
Apr  5 18:56:32.917812: "west" #4: rekeyed #3 STATE_V2_REKEY_CHILD_I1 and 
expire it remaining life 28774.21038s
Apr  5 18:56:32.917920: "west" #4: negotiated connection 
[192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0]
Apr  5 18:56:32.917928: "west" #4: IPsec SA established tunnel mode 
{ESP=>0x19ae6dab <0x0ec6e523 xfrm=AES_GCM_16_256-NONE-MODP2048 NATOA=none NATD=none 
DPD=passive}
Apr  5 18:56:33.918801: "west" #3: deleting state 
(STATE_V2_ESTABLISHED_CHILD_SA) aged 26.826433s and sending notification
Apr  5 18:56:33.918917: "west" #3: ESP traffic information: in=1KB out=1KB
Apr  5 18:56:33.921937: "west" #1: received delete request for 
IKEv2_SEC_PROTO_ESP SA(0xfe024578) but corresponding state not found
Apr  5 18:56:33.922055: "west" #1: established IKE SA
Apr  5 18:56:46.640199: "west" #1: received Delete SA payload: replace CHILD SA 
#4 now
Apr  5 18:56:46.640351: "west" #1: established IKE SA

The only event here was a CREATE_CHILD_SA for a Child SA. it should not
print those "established IKE SA" messages.

Also, I wonder if we should keep a recent list of deleted IPsec and
IKE SPI's, so when we get a delete response for something we have just
deleted, we don't show a weird "not found" error.

Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
[Swan-dev] Bogus "established IKE SA" messages

Reply via email to
