Re: [strongSwan] Strongswan 4.5.1 with sqlite database: update database and DPD

Andreas Steffen Tue, 01 Mar 2011 07:05:48 -0800

Hello Fabrice,

sorry for the delay in answering your questions but I was quite
busy due to the start of the spring term at our university.


On 03/01/2011 10:40 AM, CETIAD - Fabrice Barconnière wrote:

Hello,

I've configurated strongswan with sqlite database beetween one gateway
(sphynx) and several others (amon1, amon2, ... up to six hundred).
Connections are beetween sphynx subnets and amon subnets (sometimes
beetween amon subnets).
Text file join to this mail shows my network infrastructure.

On sphynx, start_action and dpd_action are set to 0.
On amon, start_action and dpd_action are set to 2.

1) When sqlite database is modified, how apply the updates without
restarting ipsec ?
ipsec update command doesn't work in my configuration.
Is there an other way to do that or some fields should be set to
specific values ?

The "ipsec update" command does not work with connection configurations
stored in an SQL database. The command just checks for any changes in
ipsec.conf and communicates them to the charon daemon via the stroke
socket interface.

I made some database changes in CHILD_SA net-3 and

ipsec statusall     shows the changes immediately.
ipsec down net-3    does not work but
ipsec down net-3{3} takes the CHILD_SA down
ipsec up net-3      doesn't work so we have a real problem here

You find the detailed output in the moon.statusall attachment.

ipsec down net-net  takes down the IKE_SA and all three CHILD_SAs
ipsec up net-net    does not start up them again so we have a problem

I have to look into this. It should be possible to take down single
CHILD_SAs and/or IKE_SAs and start them again without having to
restart the whole daemon.

2) How Dead Peer Dectection works ?
When ipsec is restarted on sphynx, connections stay down on amon--
gateways.
Is there special values to set in database ?

I loaded the sql/net2net-start-pem scenario

http://www.strongswan.org/uml/testresults/sql/net2net-start-pem/

which is closely modelled after your setup and has the DPD settings

   moon: start_action = 2 (start), dpd_action = 2 (restart)
   sun:  start_action = 0 (add),   dpd_action = 0 (clear)

I started the scenario and let it run for a couple of minutes in order
to show that DPD informational messages are exchanged. I then blocked
the access to sun so that moon was starting to retransmit and after
5 unanswered retransmission moon deleted all SAs and tried to
reconnect. I then enabled access to sun again and the IKE_SA and
all 3 CHILD_SAs were automatically re-established. You can find my
log as attachment "moon.daemon.log".

If you restart charon on sun by executing "ipsec restart" then
the IKE_SA and the CHILD_SAs are deleted by exchanging DELETE notifies
and the connection doesn't come up again automatically. This is normal
behaviour and doesn't have anything to do with DPD. Up must then
start up the SAs either on moon or sun manually.

Thanks

Fabrice


Best regards

Andreas

======================================================================
Andreas Steffen                         [email protected]
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

Mar  1 15:01:39 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2dr1) 
Mar  1 15:01:40 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 
Mar  1 15:01:40 moon charon: 00[CFG]   loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem' 
Mar  1 15:01:40 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 
Mar  1 15:01:40 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 
Mar  1 15:01:40 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 
Mar  1 15:01:40 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' 
Mar  1 15:01:40 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' 
Mar  1 15:01:40 moon charon: 00[KNL] listening on interfaces: 
Mar  1 15:01:40 moon charon: 00[KNL]   eth0 
Mar  1 15:01:40 moon charon: 00[KNL]     192.168.0.1 
Mar  1 15:01:40 moon charon: 00[KNL]     fec0::1 
Mar  1 15:01:40 moon charon: 00[KNL]     fe80::fcfd:c0ff:fea8:1 
Mar  1 15:01:40 moon charon: 00[KNL]   eth1 
Mar  1 15:01:40 moon charon: 00[KNL]     10.1.0.1 
Mar  1 15:01:40 moon charon: 00[KNL]     fec1::1 
Mar  1 15:01:40 moon charon: 00[KNL]     fe80::fcfd:aff:fe01:1 
Mar  1 15:01:40 moon charon: 00[DMN] loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql  
Mar  1 15:01:40 moon charon: 00[JOB] spawning 16 worker threads 
Mar  1 15:01:40 moon charon: 13[JOB] start action: initiate 'net-1' 
Mar  1 15:01:40 moon charon: 13[IKE] initiating IKE_SA net-net[1] to 192.168.0.2 
Mar  1 15:01:40 moon charon: 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 
Mar  1 15:01:40 moon charon: 13[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:01:40 moon charon: 13[JOB] start action: initiate 'net-2' 
Mar  1 15:01:40 moon charon: 13[JOB] start action: initiate 'net-3' 
Mar  1 15:01:40 moon charon: 14[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:01:40 moon charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 
Mar  1 15:01:40 moon charon: 14[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar  1 15:01:40 moon charon: 14[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar  1 15:01:40 moon charon: 14[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar  1 15:01:40 moon charon: 14[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar  1 15:01:40 moon charon: 14[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful 
Mar  1 15:01:40 moon charon: 14[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" 
Mar  1 15:01:40 moon charon: 14[IKE] establishing CHILD_SA net-1 
Mar  1 15:01:40 moon charon: 14[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] 
Mar  1 15:01:40 moon charon: 14[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:01:40 moon charon: 15[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:01:40 moon charon: 15[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ] 
Mar  1 15:01:40 moon charon: 15[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=sun.strongswan.org" 
Mar  1 15:01:40 moon charon: 15[CFG]   using certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org" 
Mar  1 15:01:40 moon charon: 15[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar  1 15:01:40 moon charon: 15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=sun.strongswan.org" 
Mar  1 15:01:40 moon charon: 15[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... 
Mar  1 15:01:40 moon charon: 15[CFG]   using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar  1 15:01:40 moon charon: 15[CFG]   crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar  1 15:01:40 moon charon: 15[CFG]   crl is valid: until Mar 26 22:26:34 2011 
Mar  1 15:01:40 moon charon: 15[CFG] certificate status is good 
Mar  1 15:01:40 moon charon: 15[CFG]   reached self-signed root ca with a path length of 0 
Mar  1 15:01:40 moon charon: 15[IKE] authentication of 'sun.strongswan.org' with RSA signature successful 
Mar  1 15:01:40 moon charon: 15[IKE] IKE_SA net-net[1] established between 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org] 
Mar  1 15:01:40 moon charon: 15[IKE] scheduling reauthentication in 3442s 
Mar  1 15:01:40 moon charon: 15[IKE] maximum IKE_SA lifetime 3742s 
Mar  1 15:01:40 moon charon: 15[IKE] CHILD_SA net-1{1} established with SPIs c34baa77_i cbd3fb7d_o and TS 10.1.0.0/28 === 10.2.0.0/23  
Mar  1 15:01:41 moon charon: 15[IKE] received AUTH_LIFETIME of 3593s, scheduling reauthentication in 3293s 
Mar  1 15:01:41 moon charon: 15[IKE] establishing CHILD_SA net-2 
Mar  1 15:01:41 moon charon: 15[ENC] generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ] 
Mar  1 15:01:41 moon charon: 15[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:01:41 moon charon: 16[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:01:41 moon charon: 16[ENC] parsed CREATE_CHILD_SA response 2 [ SA No TSi TSr ] 
Mar  1 15:01:41 moon charon: 16[KNL] no local address found in traffic selector 10.1.0.16/28 
Mar  1 15:01:41 moon charon: 16[IKE] CHILD_SA net-2{2} established with SPIs ccfdf340_i c639cbb0_o and TS 10.1.0.16/28 === 10.2.0.0/23  
Mar  1 15:01:42 moon charon: 16[IKE] establishing CHILD_SA net-3 
Mar  1 15:01:42 moon charon: 16[ENC] generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ] 
Mar  1 15:01:42 moon charon: 16[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:01:42 moon charon: 06[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:01:42 moon charon: 06[ENC] parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ] 
Mar  1 15:01:42 moon charon: 06[KNL] no local address found in traffic selector 10.1.2.0/23 
Mar  1 15:01:42 moon charon: 06[IKE] CHILD_SA net-3{3} established with SPIs c6943594_i c96ef89c_o and TS 10.1.2.0/23 === 10.2.2.0/23  
Mar  1 15:02:11 moon charon: 15[IKE] sending DPD request 
Mar  1 15:02:11 moon charon: 15[ENC] generating INFORMATIONAL request 4 [ ] 
Mar  1 15:02:11 moon charon: 15[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:02:11 moon charon: 16[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:02:11 moon charon: 16[ENC] parsed INFORMATIONAL response 4 [ ] 
Mar  1 15:02:41 moon charon: 04[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:02:41 moon charon: 04[ENC] parsed INFORMATIONAL request 0 [ ] 
Mar  1 15:02:41 moon charon: 04[ENC] generating INFORMATIONAL response 0 [ ] 
Mar  1 15:02:41 moon charon: 04[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:03:10 moon charon: 03[IKE] sending DPD request 
Mar  1 15:03:10 moon charon: 03[ENC] generating INFORMATIONAL request 5 [ ] 
Mar  1 15:03:10 moon charon: 03[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:03:10 moon charon: 02[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:03:10 moon charon: 02[ENC] parsed INFORMATIONAL response 5 [ ] 
Mar  1 15:03:40 moon charon: 13[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:03:40 moon charon: 13[ENC] parsed INFORMATIONAL request 1 [ ] 
Mar  1 15:03:40 moon charon: 13[ENC] generating INFORMATIONAL response 1 [ ] 
Mar  1 15:03:40 moon charon: 13[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:04:09 moon charon: 15[IKE] sending DPD request 
Mar  1 15:04:09 moon charon: 15[ENC] generating INFORMATIONAL request 6 [ ] 
Mar  1 15:04:09 moon charon: 15[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:04:09 moon charon: 16[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:04:09 moon charon: 16[ENC] parsed INFORMATIONAL response 6 [ ] 
Mar  1 15:04:39 moon charon: 04[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:04:39 moon charon: 04[ENC] parsed INFORMATIONAL request 2 [ ] 
Mar  1 15:04:39 moon charon: 04[ENC] generating INFORMATIONAL response 2 [ ] 
Mar  1 15:04:39 moon charon: 04[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:05:08 moon charon: 03[IKE] sending DPD request 
Mar  1 15:05:08 moon charon: 03[ENC] generating INFORMATIONAL request 7 [ ] 
Mar  1 15:05:08 moon charon: 03[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:05:08 moon charon: 02[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:05:08 moon charon: 02[ENC] parsed INFORMATIONAL response 7 [ ] 
Mar  1 15:05:38 moon charon: 13[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:05:38 moon charon: 13[ENC] parsed INFORMATIONAL request 3 [ ] 
Mar  1 15:05:38 moon charon: 13[ENC] generating INFORMATIONAL response 3 [ ] 
Mar  1 15:05:38 moon charon: 13[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:06:07 moon charon: 15[IKE] sending DPD request 
Mar  1 15:06:07 moon charon: 15[ENC] generating INFORMATIONAL request 8 [ ] 
Mar  1 15:06:07 moon charon: 15[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:06:11 moon charon: 16[IKE] retransmit 1 of request with message ID 8 
Mar  1 15:06:11 moon charon: 16[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:06:19 moon charon: 06[IKE] retransmit 2 of request with message ID 8 
Mar  1 15:06:19 moon charon: 06[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:06:32 moon charon: 04[IKE] retransmit 3 of request with message ID 8 
Mar  1 15:06:32 moon charon: 04[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:06:55 moon charon: 03[IKE] retransmit 4 of request with message ID 8 
Mar  1 15:06:55 moon charon: 03[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:07:37 moon charon: 01[IKE] retransmit 5 of request with message ID 8 
Mar  1 15:07:37 moon charon: 01[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:08:53 moon charon: 16[IKE] giving up after 5 retransmits 
Mar  1 15:08:53 moon charon: 16[IKE] restarting CHILD_SA net-1 
Mar  1 15:08:53 moon charon: 16[IKE] initiating IKE_SA net-net[2] to 192.168.0.2 
Mar  1 15:08:53 moon charon: 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 
Mar  1 15:08:53 moon charon: 16[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:08:53 moon charon: 16[IKE] restarting CHILD_SA net-2 
Mar  1 15:08:53 moon charon: 16[IKE] restarting CHILD_SA net-3 
Mar  1 15:08:57 moon charon: 06[IKE] retransmit 1 of request with message ID 0 
Mar  1 15:08:57 moon charon: 06[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:09:05 moon charon: 04[IKE] retransmit 2 of request with message ID 0 
Mar  1 15:09:05 moon charon: 04[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:09:05 moon charon: 08[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:09:05 moon charon: 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 
Mar  1 15:09:05 moon charon: 08[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar  1 15:09:05 moon charon: 08[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar  1 15:09:05 moon charon: 08[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar  1 15:09:05 moon charon: 08[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar  1 15:09:05 moon charon: 08[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful 
Mar  1 15:09:05 moon charon: 08[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" 
Mar  1 15:09:05 moon charon: 08[IKE] establishing CHILD_SA net-1 
Mar  1 15:09:05 moon charon: 08[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] 
Mar  1 15:09:05 moon charon: 08[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:09:05 moon charon: 03[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:09:05 moon charon: 03[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ] 
Mar  1 15:09:05 moon charon: 03[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=sun.strongswan.org" 
Mar  1 15:09:05 moon charon: 03[CFG]   using certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org" 
Mar  1 15:09:05 moon charon: 03[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar  1 15:09:05 moon charon: 03[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=sun.strongswan.org" 
Mar  1 15:09:05 moon charon: 03[CFG]   using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar  1 15:09:05 moon charon: 03[CFG]   crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar  1 15:09:05 moon charon: 03[CFG]   crl is valid: until Mar 26 22:26:34 2011 
Mar  1 15:09:05 moon charon: 03[CFG]   using cached crl 
Mar  1 15:09:05 moon charon: 03[CFG] certificate status is good 
Mar  1 15:09:05 moon charon: 03[CFG]   reached self-signed root ca with a path length of 0 
Mar  1 15:09:05 moon charon: 03[IKE] authentication of 'sun.strongswan.org' with RSA signature successful 
Mar  1 15:09:05 moon charon: 03[IKE] IKE_SA net-net[2] established between 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org] 
Mar  1 15:09:05 moon charon: 03[IKE] scheduling reauthentication in 3595s 
Mar  1 15:09:05 moon charon: 03[IKE] maximum IKE_SA lifetime 3895s 
Mar  1 15:09:05 moon charon: 03[IKE] CHILD_SA net-1{4} established with SPIs c0518f10_i cc92f97b_o and TS 10.1.0.0/28 === 10.2.0.0/23  
Mar  1 15:09:05 moon charon: 03[IKE] received AUTH_LIFETIME of 3554s, scheduling reauthentication in 3254s 
Mar  1 15:09:05 moon charon: 03[IKE] establishing CHILD_SA net-2 
Mar  1 15:09:05 moon charon: 03[ENC] generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ] 
Mar  1 15:09:05 moon charon: 03[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:09:06 moon charon: 02[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:09:06 moon charon: 02[ENC] parsed CREATE_CHILD_SA response 2 [ SA No TSi TSr ] 
Mar  1 15:09:06 moon charon: 02[KNL] no local address found in traffic selector 10.1.0.16/28 
Mar  1 15:09:06 moon charon: 02[IKE] CHILD_SA net-2{5} established with SPIs cbd7f7c7_i ca43f25b_o and TS 10.1.0.16/28 === 10.2.0.0/23  
Mar  1 15:09:06 moon charon: 02[IKE] establishing CHILD_SA net-3 
Mar  1 15:09:06 moon charon: 02[ENC] generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ] 
Mar  1 15:09:06 moon charon: 02[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:09:06 moon charon: 01[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:09:06 moon charon: 01[ENC] parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ] 
Mar  1 15:09:06 moon charon: 01[KNL] no local address found in traffic selector 10.1.2.0/23 
Mar  1 15:09:06 moon charon: 01[IKE] CHILD_SA net-3{6} established with SPIs c8e2a329_i ca61acb5_o and TS 10.1.2.0/23 === 10.2.2.0/23  
Mar  1 15:09:36 moon charon: 02[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:09:36 moon charon: 02[ENC] parsed INFORMATIONAL request 0 [ ] 
Mar  1 15:09:36 moon charon: 02[ENC] generating INFORMATIONAL response 0 [ ] 
Mar  1 15:09:36 moon charon: 02[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:10:29 moon charon: 16[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:10:29 moon charon: 16[ENC] parsed INFORMATIONAL request 1 [ ] 
Mar  1 15:10:29 moon charon: 16[ENC] generating INFORMATIONAL response 1 [ ] 
Mar  1 15:10:29 moon charon: 16[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar  1 15:10:59 moon charon: 08[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar  1 15:10:59 moon charon: 08[ENC] parsed INFORMATIONAL request 2 [ ] 
Mar  1 15:10:59 moon charon: 08[ENC] generating INFORMATIONAL response 2 [ ] 
Mar  1 15:10:59 moon charon: 08[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500]

ipsec statusall

Connections:
     net-net:  192.168.0.1...192.168.0.2, dpddelay=30s
     net-net:   local:  [moon.strongswan.org] uses public key authentication
     net-net:   remote: [sun.strongswan.org] uses any authentication
       net-1:   child:  10.1.0.0/28 === 10.2.0.0/23 , dpdaction=restart
       net-2:   child:  10.1.0.16/28 === 10.2.0.0/23 , dpdaction=restart
       net-3:   child:  10.1.2.0/24 === 10.2.2.0/24 , dpdaction=restart
Security Associations:
     net-net[1]: ESTABLISHED 4 minutes ago, 
192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
     net-net[1]: IKE SPIs: 6c837b3d7e49d13e_i* caa46145c5913bfd_r, public key 
reauthentication in 49 minutes
     net-net[1]: IKE proposal: 
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
       net-1{1}:  INSTALLED, TUNNEL, ESP SPIs: cbc12fe8_i ca881d36_o
       net-1{1}:  AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 11 minutes
       net-1{1}:   10.1.0.0/28 === 10.2.0.0/23 
       net-2{2}:  INSTALLED, TUNNEL, ESP SPIs: ca66368f_i c3c74dbe_o
       net-2{2}:  AES_GCM_16_192, 0 bytes_i, 0 bytes_o, rekeying in 12 minutes
       net-2{2}:   10.1.0.16/28 === 10.2.0.0/23 
       net-3{3}:  INSTALLED, TUNNEL, ESP SPIs: cbf50465_i cf708ace_o
       net-3{3}:  AES_GCM_16_192, 0 bytes_i, 0 bytes_o, rekeying in 10 minutes
       net-3{3}:   10.1.2.0/23 === 10.2.2.0/23 

ipsec down net-3      # does not work

Mar  1 15:49:55 moon charon: 04[CFG] received stroke: terminate 'net-3' 
Mar  1 15:49:55 moon charon: 04[CFG] no IKE_SA named 'net-3' found 

ipsec down net-3{3}   # works

Mar  1 15:50:23 moon charon: 15[CFG] received stroke: terminate 'net-3{3}' 
Mar  1 15:50:23 moon charon: 02[IKE] closing CHILD_SA net-3{3} with SPIs 
cbf50465_i (0 bytes) cf708ace_o (0 bytes) and TS 10.1.2.0/23 === 10.2.2.0/23  
Mar  1 15:50:23 moon charon: 02[IKE] sending DELETE for ESP CHILD_SA with SPI 
cbf50465 

ipsec statusall

Connections:
     net-net:  192.168.0.1...192.168.0.2, dpddelay=30s
     net-net:   local:  [moon.strongswan.org] uses public key authentication
     net-net:   remote: [sun.strongswan.org] uses any authentication
       net-1:   child:  10.1.0.0/28 === 10.2.0.0/23 , dpdaction=restart
       net-2:   child:  10.1.0.16/28 === 10.2.0.0/23 , dpdaction=restart
       net-3:   child:  10.1.2.0/24 === 10.2.2.0/24 , dpdaction=restart
Security Associations:
     net-net[1]: ESTABLISHED 5 minutes ago, 
192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
     net-net[1]: IKE SPIs: 6c837b3d7e49d13e_i* caa46145c5913bfd_r, public key 
reauthentication in 49 minutes
     net-net[1]: IKE proposal: 
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
       net-1{1}:  INSTALLED, TUNNEL, ESP SPIs: cbc12fe8_i ca881d36_o
       net-1{1}:  AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 11 minutes
       net-1{1}:   10.1.0.0/28 === 10.2.0.0/23 
       net-2{2}:  INSTALLED, TUNNEL, ESP SPIs: ca66368f_i c3c74dbe_o
       net-2{2}:  AES_GCM_16_192, 0 bytes_i, 0 bytes_o, rekeying in 11 minutes
       net-2{2}:   10.1.0.16/28 === 10.2.0.0/23 

ipsec up net-3      # does not work

Mar  1 15:50:39 moon charon: 04[CFG] received stroke: initiate 'net-3' 
Mar  1 15:50:39 moon charon: 04[CFG] no config named 'net-3'

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan 4.5.1 with sqlite database: update database and DPD

Reply via email to