Re: [Swan] SELinux labeled ipsec

Wed, 08 Feb 2017 09:54:32 -0800 

On 02/07/2017 05:30 PM, Paul Wouters wrote:

On Tue, 7 Feb 2017, Jeff Becker wrote:
Could this be the problem?

#grep errno /var/log/secure
Feb 7 23:20:15 dtn1 pluto[4320]: "dtsd-tunnel" #1: ERROR: netlink response for Del SA [email protected] included errno 3: No such process 

That shows an IPsec SA that it expected to be there to be deleted was
not there.  That is odd, and I would expect to see an earlier message
about a problem?



The following sequence repeats several times in /var/log/secure. It does 
look like an SA is being deleted after several failed retransmits.


-jeff


Feb  8 17:40:07 dtn1 pluto[4320]: "dtsd-tunnel" #71: initiating Quick 
Mode 
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
{using isakmp#70 msgid:89f15846 proposal=defaults 
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb  8 17:40:07 dtn1 pluto[4320]: "dtsd-tunnel" #71: transition from 
state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb  8 17:40:07 dtn1 pluto[4320]: "dtsd-tunnel" #71: STATE_QUICK_I2: 
sent QI2, IPsec SA established tunnel mode {ESP=>0x695041fd <0xbcdcc26c 
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}
Feb  8 17:40:08 dtn1 pluto[4320]: "dtsd-tunnel" #71: retransmitting in 
response to duplicate packet; already STATE_QUICK_I2
Feb  8 17:40:08 dtn1 pluto[4320]: "dtsd-tunnel" #71: retransmitting in 
response to duplicate packet; already STATE_QUICK_I2
Feb  8 17:40:09 dtn1 pluto[4320]: "dtsd-tunnel" #71: discarding 
duplicate packet -- exhausted retransmission; already STATE_QUICK_I2
Feb  8 17:40:11 dtn1 pluto[4320]: "dtsd-tunnel" #71: discarding 
duplicate packet -- exhausted retransmission; already STATE_QUICK_I2
Feb  8 17:40:15 dtn1 pluto[4320]: "dtsd-tunnel" #71: discarding 
duplicate packet -- exhausted retransmission; already STATE_QUICK_I2
Feb  8 17:40:23 dtn1 pluto[4320]: "dtsd-tunnel" #71: discarding 
duplicate packet -- exhausted retransmission; already STATE_QUICK_I2
Feb  8 17:40:39 dtn1 pluto[4320]: "dtsd-tunnel" #71: discarding 
duplicate packet -- exhausted retransmission; already STATE_QUICK_I2
Feb  8 17:41:11 dtn1 pluto[4320]: "dtsd-tunnel" #70: received Delete SA 
payload: replace IPSEC State #71 in 25ms, letting old IPsec SA linger 
for 20 seconds
Feb  8 17:41:11 dtn1 pluto[4320]: "dtsd-tunnel" #70: received and 
ignored empty informational notification payload





Paul



_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

























					Reply via email to