I have a collection of sites connected to a CentOS7 LibreSWAN server via IPSEC protected GRE tunnels. The remote device is a Cisco 891F router.
libreswan-3.20-5.el7_4.x86_64 Linux 3.10.0-693.11.1.el7.x86_64 It works! Very well actually, even with the slightly complicated routing we have. One problem - it appears when the connection renegotiates the remote site experiences packet loss of tunneled traffic. I believe this occurs when the server receives a delete-sa, when the sa expires. ??? The drops correlate to the following burts in the log file on the LibreSWAN server: 15:02:38 pluto[29909]: "IPSEC-1" #22017: received Delete SA(0x26d2704e) payload: deleting IPSEC State #22019 15:02:38 pluto[29909]: "IPSEC-1" #22017: deleting other state #22019 (STATE_QUICK_I2) "IPSEC-1" 15:02:38 pluto[29909]: "IPSEC-1" #22017: ESP traffic information: in=0B out=0B 15:02:38 pluto[29909]: "IPSEC-1" #22020: deleting state (STATE_QUICK_R0) 15:02:38 pluto[29909]: "IPSEC-1" #22018: deleting state (STATE_QUICK_R0) 15:02:38 pluto[29909]: "IPSEC-1" #22017: deleting state (STATE_MAIN_R3) 15:02:38 pluto[29909]: packet from A.B.C.D:500: received and ignored empty informational notification payload 15:02:46 pluto[29909]: "IPSEC-1" #22021: responding to Main Mode 15:02:46 pluto[29909]: "IPSEC-1" #22021: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 15:02:46 pluto[29909]: "IPSEC-1" #22021: STATE_MAIN_R1: sent MR1, expecting MI2 15:02:46 pluto[29909]: "IPSEC-1" #22021: ignoring unknown Vendor ID payload [95cc749deb2867b973ae56ab42a934cb] 15:02:46 pluto[29909]: "IPSEC-1" #22021: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 15:02:46 pluto[29909]: "IPSEC-1" #22021: STATE_MAIN_R2: sent MR2, expecting MI3 15:02:46 pluto[29909]: "IPSEC-1" #22021: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28 15:02:46 pluto[29909]: | ISAKMP Notification Payload 15:02:46 pluto[29909]: | 00 00 00 1c 00 00 00 01 01 10 60 02 15:02:46 pluto[29909]: "IPSEC-1" #22021: Main mode peer ID is ID_IPV4_ADDR: 'A.B.C.D' 15:02:46 pluto[29909]: "IPSEC-1" #22021: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 15:02:46 pluto[29909]: "IPSEC-1" #22021: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP1536} 15:02:46 pluto[29909]: "IPSEC-1" #22021: the peer proposed: L.M.O.P/32:47/0 -> A.B.C.D/32:47/0 15:02:46 pluto[29909]: "IPSEC-1" #22022: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION 15:02:56 pluto[29909]: "IPSEC-1" #22022: next payload type of ISAKMP Hash Payload has an unknown value: 59 (0x3b) 15:02:56 pluto[29909]: "IPSEC-1" #22022: malformed payload in packet 15:03:06 pluto[29909]: "IPSEC-1" #22022: next payload type of ISAKMP Hash Payload has an unknown value: 59 (0x3b) 15:03:06 pluto[29909]: "IPSEC-1" #22022: malformed payload in packet 15:03:16 pluto[29909]: "IPSEC-1" #22021: the peer proposed: L.M.O.P/32:47/0 -> A.B.C.D/32:47/0 15:03:16 pluto[29909]: "IPSEC-1" #22023: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION 15:03:16 pluto[29909]: "IPSEC-1" #22022: next payload type of ISAKMP Hash Payload has an unknown value: 59 (0x3b) 15:03:16 pluto[29909]: "IPSEC-1" #22022: malformed payload in packet 15:03:26 pluto[29909]: "IPSEC-1" #22023: byte 2 of ISAKMP Hash Payload should have been zero, but was not (ignored) 15:03:26 pluto[29909]: "IPSEC-1" #22023: length of ISAKMP Hash Payload is larger than can fit 15:03:26 pluto[29909]: "IPSEC-1" #22023: malformed payload in packet 15:03:26 pluto[29909]: "IPSEC-1" #22022: next payload type of ISAKMP Hash Payload has an unknown value: 59 (0x3b) 15:03:26 pluto[29909]: "IPSEC-1" #22022: malformed payload in packet 15:03:36 pluto[29909]: "IPSEC-1" #22023: byte 2 of ISAKMP Hash Payload should have been zero, but was not (ignored) 15:03:36 pluto[29909]: "IPSEC-1" #22023: length of ISAKMP Hash Payload is larger than can fit 15:03:36 pluto[29909]: "IPSEC-1" #22023: malformed payload in packet 15:03:36 pluto[29909]: "IPSEC-1" #22022: next payload type of ISAKMP Hash Payload has an unknown value: 59 (0x3b) 15:03:36 pluto[29909]: "IPSEC-1" #22022: malformed payload in packet 15:03:46 pluto[29909]: "IPSEC-1" #22023: byte 2 of ISAKMP Hash Payload should have been zero, but was not (ignored) 15:03:46 pluto[29909]: "IPSEC-1" #22023: length of ISAKMP Hash Payload is larger than can fit 15:03:46 pluto[29909]: "IPSEC-1" #22023: malformed payload in packet 15:03:46 pluto[29909]: "IPSEC-1" #22021: received Delete SA payload: self-deleting ISAKMP State #22021 15:03:46 pluto[29909]: "IPSEC-1" #22021: deleting state (STATE_MAIN_R3) 15:03:46 pluto[29909]: "IPSEC-1" #22021: reschedule pending Phase 2 of connection"IPSEC-1" state #22023: - the parent is going away 15:03:46 pluto[29909]: "IPSEC-1" #22021: reschedule pending Phase 2 of connection"IPSEC-1" state #22022: - the parent is going away 15:03:46 pluto[29909]: packet from A.B.C.D:500: received and ignored empty informational notification payload 15:03:46 pluto[29909]: "IPSEC-1" #22024: initiating Main Mode 15:03:46 pluto[29909]: "IPSEC-1" #22023: deleting state (STATE_QUICK_R0) 15:03:46 pluto[29909]: "IPSEC-1" #22022: deleting state (STATE_QUICK_R0) 15:03:46 pluto[29909]: "IPSEC-1" #22024: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 15:03:46 pluto[29909]: "IPSEC-1" #22024: STATE_MAIN_I2: sent MI2, expecting MR2 15:03:46 pluto[29909]: "IPSEC-1" #22024: ignoring unknown Vendor ID payload [68ff031256abeef8441c9729ca3cdd5f] 15:03:46 pluto[29909]: "IPSEC-1" #22024: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 15:03:46 pluto[29909]: "IPSEC-1" #22024: STATE_MAIN_I3: sent MI3, expecting MR3 15:03:46 pluto[29909]: "IPSEC-1" #22024: Main mode peer ID is ID_IPV4_ADDR: 'A.B.C.D' 15:03:46 pluto[29909]: "IPSEC-1" #22024: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 15:03:46 pluto[29909]: "IPSEC-1" #22024: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP1536} 15:03:46 pluto[29909]: "IPSEC-1" #22025: initiating Quick Mode PSK+ENCRYPT+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_ NO {using isakmp#22024 msgid:75b9737f proposal=defaults pfsgroup=MODP1536} 15:03:46 pluto[29909]: "IPSEC-1" #22025: ignoring informational payload IPSEC_RESPONDER_LIFETIME, msgid=75b9737f, length=40 15:03:46 pluto[29909]: | ISAKMP Notification Payload 15:03:46 pluto[29909]: | 00 00 00 28 00 00 00 01 03 04 60 00 -- Adam Tauno Williams <mailto:awill...@whitemice.org> GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan