Re: [Swan] IPSEC SA replace also replaces ISAKMP SA

Wed, 06 Apr 2016 05:39:43 -0700 

Hi Paul,

Thanks for your reply.
The version we are using is:

# ipsec pluto --version
Libreswan 3.master-201549.git XFRM(netkey) KLIPS NSS DNSSEC FIPS_CHECK 
LABELED_IPSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)

Regards,
Marc

From: Paul Wouters [mailto:[email protected]]
Sent: mercredi 6 avril 2016 14:31
To: Marc Ledent <[email protected]>
Cc: [email protected]
Subject: Re: [Swan] IPSEC SA replace also replaces ISAKMP SA

Do you still see this with 3.17? That version has a fix for shared IKE 
connections such as aliases that you are using.

If you do, can you send me a Pluto log offlist?

Paul

Sent from my iPhone

On Apr 5, 2016, at 06:34, Marc Ledent 
<[email protected]<mailto:[email protected]>> wrote:
Hi all,

Sorry to bother you with this, but this issue is quite blocking for us. Is 
somebody can help us on this?

Regards,
Marc

From: Marc Ledent
Sent: jeudi 31 mars 2016 15:13
To: '[email protected]<mailto:[email protected]>' 
<[email protected]<mailto:[email protected]>>
Subject: IPSEC SA replace also replaces ISAKMP SA

Hi all,

We have a strange behaviour on one of our tunnels.

On this tunnel, when the IPSEC SA is coming to expiration, it is replaced WITH 
the ISAKMP SA, but WITHOUT deleting this latter, which leads to an increasing 
number of “to be replaced” ISAKMP SA.

I made some searches on the internet but without results…


The config:

000 "conn_name/1x1": 
0.0.0.0/0===XXXX<XXXXXXXX>...YYYYYYYY<YYYYYYYYY>===0.0.0.0/0; erouted; eroute 
owner: #595
000 "conn_name/1x1":     oriented; my_ip=unset; their_ip=unset; 
myup=/etc/ipsec.d/conn_name-vpn.sh
000 "conn_name/1x1":   xauth info: us:none, them:none,  my_xauthuser=[any]; 
their_xauthuser=[any]
000 "conn_name/1x1":   modecfg info: us:none, them:none, modecfg policy:push, 
dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "conn_name/1x1":   labeled_ipsec:no;
000 "conn_name/1x1":   policy_label:unset;
000 "conn_name/1x1":   ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "conn_name/1x1":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "conn_name/1x1":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; 
fake_strongswan:no; send_vendorid:no;
000 "conn_name/1x1":   policy: 
PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "conn_name/1x1":   conn_prio: 0,0; interface: ens225; metric: 0; mtu: 
unset; sa_prio:auto; nflog-group: unset; mark: 10/0xffffffff;
000 "conn_name/1x1":   newest ISAKMP SA: #594; newest IPsec SA: #595;
000 "conn_name/1x1":   aliases: conn_name
000 "conn_name/1x1":   IKE algorithms wanted: 
AES_CBC(7)_128-SHA1(2)_000-MODP2048(14), 
AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2)
000 "conn_name/1x1":   IKE algorithms found:  
AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), 
AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "conn_name/1x1":   IKEv2 algorithm newest: 
AES_CBC_128-AUTH_HMAC_SHA1_96-PRF_HMAC_SHA1-MODP2048
000 "conn_name/1x1":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; 
pfsgroup=MODP2048(14)
000 "conn_name/1x1":   ESP algorithms loaded: AES(12)_128-SHA1(2)_000

# active SAs
000 #595: "conn_name/1x1":500 STATE_PARENT_I3 (PARENT SA established); 
EVENT_SA_REPLACE in 1890s; newest IPSEC; eroute owner; isakmp#594; idle; 
import:respond to stranger
000 #595: "conn_name/1x1" 
[email protected]<mailto:[email protected]> 
[email protected]<mailto:[email protected]> 
[email protected]<mailto:[email protected]> 
[email protected]<mailto:[email protected]> ref=0 refhim=4294901761 Traffic: 
ESPin=3MB ESPout=5MB! ESPmax=0B
000 #594: "conn_name/1x1":500 STATE_PARENT_I3 (PARENT SA established); 
EVENT_SA_REPLACE in 27026s; newest ISAKMP; isakmp#0; idle; import:respond to 
stranger
000 #594: "conn_name/1x1" ref=0 refhim=0 Traffic:

# “dead” SAs
000 #392: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); 
EVENT_SA_REPLACE in 798s; isakmp#0; idle; import:respond to stranger
000 #392: "bics/1x1" ref=0 refhim=0 Traffic:
000 #414: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); 
EVENT_SA_REPLACE in 3672s; isakmp#0; idle; import:respond to stranger
000 #414: "bics/1x1" ref=0 refhim=0 Traffic:
000 #551: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); 
EVENT_SA_REPLACE in 21212s; isakmp#0; idle; import:respond to stranger
000 #551: "bics/1x1" ref=0 refhim=0 Traffic:


Any ideas?

Regards,
Marc
_______________________________________________
Swan mailing list
[email protected]<mailto:[email protected]>
https://lists.libreswan.org/mailman/listinfo/swan

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to