Hi all, Sorry to bother you with this, but this issue is quite blocking for us. Is somebody can help us on this?
Regards, Marc From: Marc Ledent Sent: jeudi 31 mars 2016 15:13 To: '[email protected]' <[email protected]> Subject: IPSEC SA replace also replaces ISAKMP SA Hi all, We have a strange behaviour on one of our tunnels. On this tunnel, when the IPSEC SA is coming to expiration, it is replaced WITH the ISAKMP SA, but WITHOUT deleting this latter, which leads to an increasing number of "to be replaced" ISAKMP SA. I made some searches on the internet but without results... The config: 000 "conn_name/1x1": 0.0.0.0/0===XXXX<XXXXXXXX>...YYYYYYYY<YYYYYYYYY>===0.0.0.0/0; erouted; eroute owner: #595 000 "conn_name/1x1": oriented; my_ip=unset; their_ip=unset; myup=/etc/ipsec.d/conn_name-vpn.sh 000 "conn_name/1x1": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any] 000 "conn_name/1x1": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset; 000 "conn_name/1x1": labeled_ipsec:no; 000 "conn_name/1x1": policy_label:unset; 000 "conn_name/1x1": ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "conn_name/1x1": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "conn_name/1x1": sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no; 000 "conn_name/1x1": policy: PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW; 000 "conn_name/1x1": conn_prio: 0,0; interface: ens225; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: 10/0xffffffff; 000 "conn_name/1x1": newest ISAKMP SA: #594; newest IPsec SA: #595; 000 "conn_name/1x1": aliases: conn_name 000 "conn_name/1x1": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP2048(14), AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2) 000 "conn_name/1x1": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2) 000 "conn_name/1x1": IKEv2 algorithm newest: AES_CBC_128-AUTH_HMAC_SHA1_96-PRF_HMAC_SHA1-MODP2048 000 "conn_name/1x1": ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP2048(14) 000 "conn_name/1x1": ESP algorithms loaded: AES(12)_128-SHA1(2)_000 # active SAs 000 #595: "conn_name/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 1890s; newest IPSEC; eroute owner; isakmp#594; idle; import:respond to stranger 000 #595: "conn_name/1x1" [email protected]<mailto:[email protected]> [email protected]<mailto:[email protected]> [email protected]<mailto:[email protected]> [email protected]<mailto:[email protected]> ref=0 refhim=4294901761 Traffic: ESPin=3MB ESPout=5MB! ESPmax=0B 000 #594: "conn_name/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 27026s; newest ISAKMP; isakmp#0; idle; import:respond to stranger 000 #594: "conn_name/1x1" ref=0 refhim=0 Traffic: # "dead" SAs 000 #392: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 798s; isakmp#0; idle; import:respond to stranger 000 #392: "bics/1x1" ref=0 refhim=0 Traffic: 000 #414: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 3672s; isakmp#0; idle; import:respond to stranger 000 #414: "bics/1x1" ref=0 refhim=0 Traffic: 000 #551: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 21212s; isakmp#0; idle; import:respond to stranger 000 #551: "bics/1x1" ref=0 refhim=0 Traffic: Any ideas? Regards, Marc
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
