[Swan] IPSec IKE SA "leakage" with 3.18-git

Mon, 03 Oct 2016 00:29:28 -0700 

Hi,
Looks like there is a leakage with SA's not being cleaned up properly with the latest -git code. I am still running VTI's - so this could be a part of the problem. 


At the moment the connection is not operational, however typically after 
a restart of pluto it will all re-establish again and work fine for a 
period of time.


On my client side Cisco router:

router-2#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA


Tunnel-id Local                 Remote                fvrf/ivrf 
  Status
1         10.102.51.162/500     139.162.51.249/500    none/none 
  IN-NEG
      Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth 
sign: Unknown - 0, Auth verify: Unknown - 0

      Life/Active Time: 86400/0 sec


Tunnel-id Local                 Remote                fvrf/ivrf 
  Status
5         10.102.51.162/4500    139.162.51.249/4500   none/none 
  IN-NEG
      Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:5, 
Auth sign: PSK, Auth verify: Unknown - 0

      Life/Active Time: 86400/0 sec

 IPv6 Crypto IKEv2  SA

router-2#

Detailed:

router-2#show crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA


Tunnel-id Local                 Remote                fvrf/ivrf 
  Status
2         10.102.51.162/4500    139.162.51.249/4500   none/none 
  IN-NEG
      Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:5, 
Auth sign: PSK, Auth verify: Unknown - 0

      Life/Active Time: 86400/0 sec
      CE id: 2702, Session-id: 0
      Status Description: Initiator waiting for AUTH response
      Local spi: 397847DBDD8FC442       Remote spi: D6B734438E83914A
      Local id: [email protected]

Status of "Initiator waiting for AUTH response" is probably important here.


Incidentally I am not sure quite why we would want to listen for IPsec 
connections on the vti interfaces themselves.  Is that intentional?


On the libreswan side:

lightning ~ # ipsec status
000 using kernel interface: netkey
000 interface eth0/eth0 2400:8901:e001:3a::23@500
000 interface lo/lo ::1@500
000 interface eth0/eth0 2400:8901:e001:3a::22@500
000 interface eth0/eth0 2400:8901::f03c:91ff:fe6e:9dc@500
000 interface eth0/eth0 2400:8901:e001:3a::21@500
000 interface eth0/eth0 2400:8901:e001:3a::20@500
000 interface lo/lo 127.0.0.1@4500
000 interface lo/lo 127.0.0.1@500
000 interface eth0/eth0 139.162.51.249@4500
000 interface eth0/eth0 139.162.51.249@500
000 interface vti-1/vti-1 192.168.6.1@4500
000 interface vti-1/vti-1 192.168.6.1@500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000
000 config setup options:
000

000 configdir=/etc, configfile=/etc/ipsec.conf, 
secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, nssdir=/etc/ipsec.d, 
dumpdir=/var/run/pluto/, statsbin=unset

000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec

000 
pluto_version=v3.18-224-gc641972-c6419723fe1138c3d7d052a12f284e95adda1aa9, 
pluto_vendorid=OE-Libreswan-v3.18-224
000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s, 
xfrmlifetime=300s

000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto

000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, 
nflog-all=0

000 secctx-attr-type=<unsupported>
000 myid = (none)
000 debug none
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):

000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 
25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10

000
000 ESP algorithms supported:
000

000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, 
keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, 
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, 
keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, 
keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, 
keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, 
keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, 
keysizemin=0, keysizemax=0

000
000 IKE algorithms supported:
000

000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, 
v2name=AES_CCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, 
v2name=AES_CCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, 
v2name=AES_CCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, 
v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, v2id=24, 
v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, 
v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20, 
v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19, 
v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18, 
v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, 
v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, 
v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, 
v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, 
v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, 
v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128

000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000

000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
trans={0,0,0} attrs={0,0,0}

000
000 Connection list:
000

000 "router-2.reub.net": 
0.0.0.0/0===139.162.51.249<139.162.51.249>[@lightning.reub.net]...%any[[email protected]]===0.0.0.0/0; 
unrouted; eroute owner: #0

000 "router-2.reub.net":     oriented; my_ip=unset; their_ip=unset

000 "router-2.reub.net":   xauth us:none, xauth them:none, 
my_username=[any]; their_username=[any]
000 "router-2.reub.net":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;

000 "router-2.reub.net":   labeled_ipsec:no;
000 "router-2.reub.net":   policy_label:unset;

000 "router-2.reub.net":   ike_life: 86400s; ipsec_life: 3600s; 
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "router-2.reub.net":   retransmit-interval: 500ms; 
retransmit-timeout: 60s;
000 "router-2.reub.net":   sha2-truncbug:no; initial-contact:no; 
cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "router-2.reub.net":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "router-2.reub.net":   conn_prio: 0,0; interface: eth0; metric: 0; 
mtu: unset; sa_prio:auto; sa_tfc:none;
000 "router-2.reub.net":   nflog-group: unset; mark: 12/0x00ffffff, 
12/0x00ffffff; vti-iface:vti-1; vti-routing:no; vti-shared:no;
000 "router-2.reub.net":   dpd: action:clear; delay:15; timeout:45; 
nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both

000 "router-2.reub.net":   newest ISAKMP SA: #0; newest IPsec SA: #0;

000 "router-2.reub.net":   IKE algorithms wanted: 
AES_CBC(7)_256-SHA1(2)-MODP1536(5)
000 "router-2.reub.net":   IKE algorithms found: 
AES_CBC(7)_256-SHA1(2)-MODP1536(5)
000 "router-2.reub.net":   ESP algorithms wanted: AES(12)_128-SHA1(2); 
pfsgroup=MODP1536(5)

000 "router-2.reub.net":   ESP algorithms loaded: AES(12)_128-SHA1(2)

000 "router-2.reub.net"[1]: 
0.0.0.0/0===139.162.51.249<139.162.51.249>[@lightning.reub.net]...1.144.41.171[[email protected]]===0.0.0.0/0; 
prospective erouted; eroute owner: #0

000 "router-2.reub.net"[1]:     oriented; my_ip=unset; their_ip=unset

000 "router-2.reub.net"[1]:   xauth us:none, xauth them:none, 
my_username=[any]; their_username=[any]
000 "router-2.reub.net"[1]:   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;

000 "router-2.reub.net"[1]:   labeled_ipsec:no;
000 "router-2.reub.net"[1]:   policy_label:unset;

000 "router-2.reub.net"[1]:   ike_life: 86400s; ipsec_life: 3600s; 
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "router-2.reub.net"[1]:   retransmit-interval: 500ms; 
retransmit-timeout: 60s;
000 "router-2.reub.net"[1]:   sha2-truncbug:no; initial-contact:no; 
cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "router-2.reub.net"[1]:   policy: 
PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "router-2.reub.net"[1]:   conn_prio: 0,0; interface: eth0; metric: 
0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "router-2.reub.net"[1]:   nflog-group: unset; mark: 12/0x00ffffff, 
12/0x00ffffff; vti-iface:vti-1; vti-routing:no; vti-shared:no;
000 "router-2.reub.net"[1]:   dpd: action:clear; delay:15; timeout:45; 
nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both

000 "router-2.reub.net"[1]:   newest ISAKMP SA: #0; newest IPsec SA: #0;

000 "router-2.reub.net"[1]:   IKE algorithms wanted: 
AES_CBC(7)_256-SHA1(2)-MODP1536(5)
000 "router-2.reub.net"[1]:   IKE algorithms found: 
AES_CBC(7)_256-SHA1(2)-MODP1536(5)
000 "router-2.reub.net"[1]:   ESP algorithms wanted: 
AES(12)_128-SHA1(2); pfsgroup=MODP1536(5)

000 "router-2.reub.net"[1]:   ESP algorithms loaded: AES(12)_128-SHA1(2)

000 "router-2.reub.net"[2]: 
0.0.0.0/0===139.162.51.249<139.162.51.249>[@lightning.reub.net]...1.144.70.156[[email protected]]===0.0.0.0/0; 
unrouted; eroute owner: #0

000 "router-2.reub.net"[2]:     oriented; my_ip=unset; their_ip=unset

000 "router-2.reub.net"[2]:   xauth us:none, xauth them:none, 
my_username=[any]; their_username=[any]
000 "router-2.reub.net"[2]:   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;

000 "router-2.reub.net"[2]:   labeled_ipsec:no;
000 "router-2.reub.net"[2]:   policy_label:unset;

000 "router-2.reub.net"[2]:   ike_life: 86400s; ipsec_life: 3600s; 
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "router-2.reub.net"[2]:   retransmit-interval: 500ms; 
retransmit-timeout: 60s;
000 "router-2.reub.net"[2]:   sha2-truncbug:no; initial-contact:no; 
cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "router-2.reub.net"[2]:   policy: 
PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "router-2.reub.net"[2]:   conn_prio: 0,0; interface: eth0; metric: 
0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "router-2.reub.net"[2]:   nflog-group: unset; mark: 12/0x00ffffff, 
12/0x00ffffff; vti-iface:vti-1; vti-routing:no; vti-shared:no;
000 "router-2.reub.net"[2]:   dpd: action:clear; delay:15; timeout:45; 
nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both

000 "router-2.reub.net"[2]:   newest ISAKMP SA: #9178; newest IPsec SA: #0;

000 "router-2.reub.net"[2]:   IKE algorithms wanted: 
AES_CBC(7)_256-SHA1(2)-MODP1536(5)
000 "router-2.reub.net"[2]:   IKE algorithms found: 
AES_CBC(7)_256-SHA1(2)-MODP1536(5)
000 "router-2.reub.net"[2]:   IKEv2 algorithm newest: 
AES_CBC_256-AUTH_HMAC_SHA1_96-PRF_HMAC_SHA1-MODP1536
000 "router-2.reub.net"[2]:   ESP algorithms wanted: 
AES(12)_128-SHA1(2); pfsgroup=MODP1536(5)

000 "router-2.reub.net"[2]:   ESP algorithms loaded: AES(12)_128-SHA1(2)

000 "v6neighbor-hole-in": 
::/0===::1<::1>:58/34560...%any:58/34816===::/0; prospective erouted; 
eroute owner: #0

000 "v6neighbor-hole-in":     oriented; my_ip=unset; their_ip=unset

000 "v6neighbor-hole-in":   xauth us:none, xauth them:none, 
my_username=[any]; their_username=[any]
000 "v6neighbor-hole-in":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;

000 "v6neighbor-hole-in":   labeled_ipsec:no;
000 "v6neighbor-hole-in":   policy_label:unset;

000 "v6neighbor-hole-in":   ike_life: 0s; ipsec_life: 0s; replay_window: 
0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "v6neighbor-hole-in":   retransmit-interval: 0ms; 
retransmit-timeout: 0s;
000 "v6neighbor-hole-in":   sha2-truncbug:no; initial-contact:no; 
cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "v6neighbor-hole-in":   policy: 
PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+PASS+NEVER_NEGOTIATE;
000 "v6neighbor-hole-in":   conn_prio: 0,0; interface: lo; metric: 0; 
mtu: unset; sa_prio:1; sa_tfc:none;
000 "v6neighbor-hole-in":   nflog-group: unset; mark: unset; 
vti-iface:unset; vti-routing:no; vti-shared:no;

000 "v6neighbor-hole-in":   newest ISAKMP SA: #0; newest IPsec SA: #0;

000 "v6neighbor-hole-out": 
::/0===::1<::1>:58/34816...%any:58/34560===::/0; prospective erouted; 
eroute owner: #0

000 "v6neighbor-hole-out":     oriented; my_ip=unset; their_ip=unset

000 "v6neighbor-hole-out":   xauth us:none, xauth them:none, 
my_username=[any]; their_username=[any]
000 "v6neighbor-hole-out":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;

000 "v6neighbor-hole-out":   labeled_ipsec:no;
000 "v6neighbor-hole-out":   policy_label:unset;

000 "v6neighbor-hole-out":   ike_life: 0s; ipsec_life: 0s; 
replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "v6neighbor-hole-out":   retransmit-interval: 0ms; 
retransmit-timeout: 0s;
000 "v6neighbor-hole-out":   sha2-truncbug:no; initial-contact:no; 
cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "v6neighbor-hole-out":   policy: 
PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+PASS+NEVER_NEGOTIATE;
000 "v6neighbor-hole-out":   conn_prio: 0,0; interface: lo; metric: 0; 
mtu: unset; sa_prio:1; sa_tfc:none;
000 "v6neighbor-hole-out":   nflog-group: unset; mark: unset; 
vti-iface:unset; vti-routing:no; vti-shared:no;

000 "v6neighbor-hole-out":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 Total IPsec connections: loaded 5, active 0
000

000 State Information: DDoS cookies not required, Accepting new IKE 
connections
000 IKE SAs: total(1810), half-open(5), open(0), authenticated(1805), 
anonymous(0)

000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000

000 #9183: "router-2.reub.net"[1] 1.144.41.171:500 STATE_PARENT_I1 (sent 
v2I1, expected v2R1); EVENT_v2_RETRANSMIT in 2s; idle; import:respond to 
stranger
000 #9180: "router-2.reub.net"[1] 1.144.41.171:500 STATE_PARENT_I1 (sent 
v2I1, expected v2R1); EVENT_v2_RETRANSMIT in 1s; idle; import:respond to 
stranger
000 #1: "router-2.reub.net"[1] 1.144.41.171:4500 STATE_PARENT_R2 
(received v2I2, PARENT SA established); EVENT_SA_REPLACE in 4543s; 
isakmp#0; idle; import:respond to stranger

000 #1: "router-2.reub.net"[1] 1.144.41.171 ref=0 refhim=0 Traffic:

000 #9181: "router-2.reub.net"[1] 1.144.41.171:500 STATE_PARENT_I1 (sent 
v2I1, expected v2R1); EVENT_v2_RETRANSMIT in 2s; idle; import:respond to 
stranger
000 #9184: "router-2.reub.net"[1] 1.144.41.171:500 STATE_PARENT_I1 (sent 
v2I1, expected v2R1); EVENT_v2_RETRANSMIT in 2s; idle; import:respond to 
stranger
000 #9182: "router-2.reub.net"[1] 1.144.41.171:500 STATE_PARENT_I1 (sent 
v2I1, expected v2R1); EVENT_v2_RETRANSMIT in 2s; idle; import:respond to 
stranger
000 #9178: "router-2.reub.net"[2] 1.144.70.156:4500 STATE_PARENT_R2 
(received v2I2, PARENT SA established); EVENT_SA_REPLACE in 86120s; 
newest ISAKMP; isakmp#0; idle; import:respond to stranger

000 #9178: "router-2.reub.net"[2] 1.144.70.156 ref=0 refhim=0 Traffic:

000 #9052: "router-2.reub.net"[2] 1.144.70.156:4500 STATE_PARENT_R2 
(received v2I2, PARENT SA established); EVENT_SA_REPLACE in 85095s; 
isakmp#0; idle; import:respond to stranger

000 #9052: "router-2.reub.net"[2] 1.144.70.156 ref=0 refhim=0 Traffic:

000 #9045: "router-2.reub.net"[2] 1.144.70.156:4500 STATE_PARENT_R2 
(received v2I2, PARENT SA established); EVENT_SA_REPLACE in 85033s; 
isakmp#0; idle; import:respond to stranger

000 #9045: "router-2.reub.net"[2] 1.144.70.156 ref=0 refhim=0 Traffic:

000 #8789: "router-2.reub.net"[2] 1.144.70.156:4500 STATE_PARENT_R2 
(received v2I2, PARENT SA established); EVENT_SA_REPLACE in 83131s; 
isakmp#0; idle; import:respond to stranger

000 #8789: "router-2.reub.net"[2] 1.144.70.156 ref=0 refhim=0 Traffic:


So there are some 1810 SA's in total - all authenticated but there is 
only one active client (my Cisco router).


At this point there is no connectivity to the client and the link is down.


As the client is on a cellular link that is NATted it seems to be common 
for the SA's to renegotiate frequently, and this normally works 
(although it's not optimal).


After restarting pluto everything looks great again:


000 State Information: DDoS cookies not required, Accepting new IKE 
connections

000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)

Reuben


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to