On Tue, 4 Sep 2018, Terell Moore wrote:
Hello,
I've been running into an issue with Linux Libreswan 3.23 where occasionally,
mis-matched phase 2
algorithms between my Libreswan instance and a remote peer causes the Libreswan
instance to enter an
infinite cycle of rekeys.
Please do test if this is resolved in 3.25 as it contains various
improvements to the rekeying code.
This behavior has been observed when the following properties have been
mis-matched:
- left/rightsubnets
Yes there was an issue with shared IKE SA's as well, which you get when
using the plural subnets=
We've tried several options in the connection config such as rekey,
rekeymargin, rekeyfuzz, and
keyingtries to no avail.
Is there a setting in Libreswan that will allow us to limit the amount of
rekeys that will be attempted?
Yes, keyingtries of non-zero. But then your tunnel just remains down
which is also not what you want.
Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608936:
initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#3608932
msgid:baf7a9cf proposal=AES_CBC_256-HMAC_SHA1_96-MODP1024 pfsgroup=no-pfs}
Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932:
received and ignored
informational message
Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932:
ignoring informational
payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=32
So a subnets= mismatch with the other end?
Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932:
received and ignored
informational message
Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932:
ignoring informational
payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=32
Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932:
received and ignored
informational message
Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932:
ignoring informational
payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=32
Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932:
received and ignored
informational message
Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932:
ignoring informational
payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=32
Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932:
received and ignored
informational message
Noy sure why it told you so many times? Possibly because you have more
subnets= being negotiated that are not matching either?
Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932:
received Delete SA
payload: self-deleting ISAKMP State #3608932
Then they deleted the IKE SA.
Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608937:
initiating Main Mode
And libreswan starts again.
The only thing that confuses me is why you say this only happens
sometimes ?
But as a I said, please try 3.25 and see if that resolves the issue
already?
Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
