Hi-

I have installed libreswan 3.15 (3.15-7.3.el6) in a Centos 6.8 (based on kernel 
2.6.32-642.15.1.el6.x86_64) and Red Hat Linux 6.7 (2.6.32-696.6.3.el6.x86_64).
ipsec Tunnel is set up using certificates.

In our deployment scenario, Host 1 has multiple sub-interfaces and for each 
sub-interface we have a virtual device associated.
I manage these virtual devices from Host 2 thru ipsec tunnel.

I am able to see tunnel established between host1 and host2.

When I attempt to import data for over 200 devices so that tunnel connections 
get established,
I am observing the following log messages in ipsec log file-

Aug  4 21:46:02: packet from 15.1.1.91:500: ignoring Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02]
Aug  4 21:46:02: | find_host_connection me=10.78.29.212:500 him=15.1.1.91:500 
policy=IKEV1_ALLOW
Aug  4 21:46:02: | find_host_pair_conn (find_host_connection): 10.78.29.212:500 
15.1.1.91:500 -> hp:none
Aug  4 21:46:02: packet from 15.1.1.91:500: initial Main Mode message received 
on 10.78.29.212:500 but no connection has been authorized with policy 
RSASIG+IKEV1_ALLOW
Aug  4 21:46:03: | *received 184 bytes from 15.1.1.91:500 on eth0 (port=500)
Aug  4 21:46:03: packet from 15.1.1.91:500: received Vendor ID payload [Dead 
Peer Detection]
Aug  4 21:46:03: packet from 15.1.1.91:500: received Vendor ID payload 
[FRAGMENTATION]
Aug  4 21:46:03: packet from 15.1.1.91:500: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-03]
Aug  4 21:46:03: packet from 15.1.1.91:500: ignoring Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n]
Aug  4 21:46:03: packet from 15.1.1.91:500: ignoring Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02]
Aug  4 21:46:03: | find_host_connection me=10.78.29.212:500 him=15.1.1.91:500 
policy=IKEV1_ALLOW
Aug  4 21:46:03: | find_host_pair_conn (find_host_connection): 10.78.29.212:500 
15.1.1.91:500 -> hp:none
Aug  4 21:46:03: packet from 15.1.1.91:500: initial Main Mode message received 
on 10.78.29.212:500 but no connection has been authorized with policy 
RSASIG+IKEV1_ALLOW
Aug  4 21:46:03: | *received 184 bytes from 15.1.1.91:500 on eth0 (port=500)
Aug  4 21:46:03: packet from 15.1.1.91:500: received Vendor ID payload [Dead 
Peer Detection]
Aug  4 21:46:03: packet from 15.1.1.91:500: received Vendor ID payload 
[FRAGMENTATION]

and...Tunnel does not get setup....
packet from 15.1.1.91:500: initial Main Mode message received on 
10.78.29.212:500 but no connection has been authorized with policy 
RSASIG+IKEV1_ALLOW

I attempted searching for the above in the ipsec mail threads but could not 
locate why this message is seen.

As mentioned, this message is not observed when the numbers of virtual devices 
that is getting managed is 200. Tunnel connections are also fine in that case.

Following are the connection sections for from the ipsec configuration file-

[root@host1]/etc/ipsec.d/policies# grep include /etc/ipsec.conf
          # Note: "crypt" is not included with "all", as it can show 
confidential
include /etc/ipsec.d/*.conf
[root@host1]/etc/ipsec.d/policies#

[root@Host2]/etc/ipsec.d# cat pi.secrets
: RSA "user1"
[root@host1]/etc/ipsec.d#

Extract from ipsec conf file in Host 1-

conn snmp_15.1.1.91
    type=transport
    ike=aes256-sha1;modp2048
    phase2alg=aes256-sha1;modp2048
    authby=rsasig
    ike-frag=yes
    nat-ikev1-method=drafts
    auto=start
    keyingtries=%forever
    dpdaction=restart
    dpddelay=86400
    dpdtimeout=86400
# left side configuration
    leftid=%fromcert
    left=15.1.1.91
    leftprotoport=udp/161
    leftcert="user1"
    leftrsasigkey=%cert
    leftsendcert=always

#right configuration - PI
    rightid="C=in, ST=nd, L=noi, O=abc, OU=def, CN=host2.company.com"
    right=10.78.29.212
    rightprotoport=udp
    rightrsasigkey=%cert
    rightsendcert=always

Extract from ipsec conf file in Host 2 that gets generated automatically after 
Tunnel establishment-
conn Device_snmp_15.1.1.1
    type=transport
    ike=aes256-sha1;modp2048
    phase2alg=aes256-sha1;modp2048
    authby=rsasig
    ike-frag=yes
    nat-ikev1-method=drafts
    auto=start
    keyingtries=%forever
    dpdaction=restart
    forceencaps=yes
# left configuration - server
    leftid=%fromcert
    left=10.78.29.212
    leftprotoport=udp
    leftcert="tomcat"
    leftrsasigkey=%cert
    leftsendcert=always
#right configuration - device
    rightid="C=in, ST=nd, L=noi, O=abc, OU=def, CN=host1.company.com, 
E=us...@company.com"
    right=15.1.1.91
    rightprotoport=udp/161
    rightrsasigkey=%cert
    rightsendcert=always

We have exact replica of above sections for SNMP trap also.

Could someone please clarify why we are observing failed tunnel setup with this 
configuration when the numbers of virtual devices is above 200 ?
Is there any issue with the above ipsec configuration ?

Regards,
Bala
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
  • ... Balaji Meenakshisundaram -X (bameenak - HCL TECHNOLOGIES LIMITED at Cisco)
    • ... Paul Wouters

Reply via email to