Do you still see this with 3.17? That version has a fix for shared IKE connections such as aliases that you are using.
If you do, can you send me a Pluto log offlist? Paul Sent from my iPhone > On Apr 5, 2016, at 06:34, Marc Ledent <[email protected]> wrote: > > Hi all, > > Sorry to bother you with this, but this issue is quite blocking for us. Is > somebody can help us on this? > > Regards, > Marc > > From: Marc Ledent > Sent: jeudi 31 mars 2016 15:13 > To: '[email protected]' <[email protected]> > Subject: IPSEC SA replace also replaces ISAKMP SA > > Hi all, > > We have a strange behaviour on one of our tunnels. > > On this tunnel, when the IPSEC SA is coming to expiration, it is replaced > WITH the ISAKMP SA, but WITHOUT deleting this latter, which leads to an > increasing number of “to be replaced” ISAKMP SA. > > I made some searches on the internet but without results… > > > The config: > > 000 "conn_name/1x1": > 0.0.0.0/0===XXXX<XXXXXXXX>...YYYYYYYY<YYYYYYYYY>===0.0.0.0/0; erouted; eroute > owner: #595 > 000 "conn_name/1x1": oriented; my_ip=unset; their_ip=unset; > myup=/etc/ipsec.d/conn_name-vpn.sh > 000 "conn_name/1x1": xauth info: us:none, them:none, my_xauthuser=[any]; > their_xauthuser=[any] > 000 "conn_name/1x1": modecfg info: us:none, them:none, modecfg policy:push, > dns1:unset, dns2:unset, domain:unset, banner:unset; > 000 "conn_name/1x1": labeled_ipsec:no; > 000 "conn_name/1x1": policy_label:unset; > 000 "conn_name/1x1": ike_life: 28800s; ipsec_life: 3600s; replay_window: > 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; > 000 "conn_name/1x1": retransmit-interval: 500ms; retransmit-timeout: 60s; > 000 "conn_name/1x1": sha2_truncbug:no; initial_contact:no; cisco_unity:no; > fake_strongswan:no; send_vendorid:no; > 000 "conn_name/1x1": policy: > PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW; > 000 "conn_name/1x1": conn_prio: 0,0; interface: ens225; metric: 0; mtu: > unset; sa_prio:auto; nflog-group: unset; mark: 10/0xffffffff; > 000 "conn_name/1x1": newest ISAKMP SA: #594; newest IPsec SA: #595; > 000 "conn_name/1x1": aliases: conn_name > 000 "conn_name/1x1": IKE algorithms wanted: > AES_CBC(7)_128-SHA1(2)_000-MODP2048(14), > AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2) > 000 "conn_name/1x1": IKE algorithms found: > AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), > AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2) > 000 "conn_name/1x1": IKEv2 algorithm newest: > AES_CBC_128-AUTH_HMAC_SHA1_96-PRF_HMAC_SHA1-MODP2048 > 000 "conn_name/1x1": ESP algorithms wanted: AES(12)_128-SHA1(2)_000; > pfsgroup=MODP2048(14) > 000 "conn_name/1x1": ESP algorithms loaded: AES(12)_128-SHA1(2)_000 > > # active SAs > 000 #595: "conn_name/1x1":500 STATE_PARENT_I3 (PARENT SA established); > EVENT_SA_REPLACE in 1890s; newest IPSEC; eroute owner; isakmp#594; idle; > import:respond to stranger > 000 #595: "conn_name/1x1" [email protected] [email protected] > [email protected] [email protected] ref=0 refhim=4294901761 Traffic: > ESPin=3MB ESPout=5MB! ESPmax=0B > 000 #594: "conn_name/1x1":500 STATE_PARENT_I3 (PARENT SA established); > EVENT_SA_REPLACE in 27026s; newest ISAKMP; isakmp#0; idle; import:respond to > stranger > 000 #594: "conn_name/1x1" ref=0 refhim=0 Traffic: > > # “dead” SAs > 000 #392: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); > EVENT_SA_REPLACE in 798s; isakmp#0; idle; import:respond to stranger > 000 #392: "bics/1x1" ref=0 refhim=0 Traffic: > 000 #414: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); > EVENT_SA_REPLACE in 3672s; isakmp#0; idle; import:respond to stranger > 000 #414: "bics/1x1" ref=0 refhim=0 Traffic: > 000 #551: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); > EVENT_SA_REPLACE in 21212s; isakmp#0; idle; import:respond to stranger > 000 #551: "bics/1x1" ref=0 refhim=0 Traffic: > > > Any ideas? > > Regards, > Marc > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
