Hello, I'm using tunnel mode within an ipsec connection, while the two hosts are under a same gateway. The connection can be established, however begin to cycle its state forever.
Sep 19 16:28:14 bonnie charon: 06[CFG] received stroke: initiate 'bonnie_psk_clyde' Sep 19 16:28:14 bonnie charon: 10[AUD] initiating IKE_SA 'bonnie_psk_clyde' to 9.11.237.67 Sep 19 16:28:14 bonnie charon: 10[AUD] initiating IKE_SA 'bonnie_psk_clyde' to 9.11.237.67 Sep 19 16:28:14 bonnie charon: 10[IKE] IKE_SA 'bonnie_psk_clyde' state change: CREATED => CONNECTING Sep 19 16:28:14 bonnie charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_D_IP) N(NATD_S_IP) ] Sep 19 16:28:14 bonnie charon: 10[NET] sending packet: from 9.11.237.60[500] to 9.11.237.67[500] Sep 19 16:28:14 bonnie charon: 11[NET] received packet: from 9.11.237.67[500] to 9.11.237.60[500] Sep 19 16:28:14 bonnie charon: 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Sep 19 16:28:14 bonnie charon: 11[IKE] authentication of '9.11.237.60' (myself) with pre-shared key Sep 19 16:28:14 bonnie charon: 11[AUD] establishing CHILD_SA Sep 19 16:28:14 bonnie charon: 11[AUD] establishing CHILD_SA Sep 19 16:28:14 bonnie charon: 11[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr ] Sep 19 16:28:14 bonnie charon: 11[NET] sending packet: from 9.11.237.60[500] to 9.11.237.67[500] Sep 19 16:28:14 bonnie charon: 12[NET] received packet: from 9.11.237.67[500] to 9.11.237.60[500] Sep 19 16:28:14 bonnie charon: 12[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ] Sep 19 16:28:14 bonnie charon: 12[IKE] authentication of '9.11.237.67' with pre-shared key successful Sep 19 16:28:14 bonnie charon: 12[IKE] IKE_SA 'bonnie_psk_clyde' state change: CONNECTING => ESTABLISHED Sep 19 16:28:14 bonnie charon: 12[IKE] scheduling reauthentication in 112s Sep 19 16:28:14 bonnie charon: 12[IKE] maximum IKE_SA lifetime 117s Sep 19 16:28:14 bonnie charon: 12[AUD] IKE_SA 'bonnie_psk_clyde' established between 9.11.237.60[9.11.237.60]...[9.11.237.67]9.11.237.67 Sep 19 16:28:14 bonnie charon: 12[AUD] IKE_SA 'bonnie_psk_clyde' established between 9.11.237.60[9.11.237.60]...[9.11.237.67]9.11.237.67 Sep 19 16:28:14 bonnie charon: 12[AUD] CHILD_SA 'bonnie_psk_clyde' established successfully Sep 19 16:28:14 bonnie charon: 12[AUD] CHILD_SA 'bonnie_psk_clyde' established successfully Sep 19 16:28:14 bonnie charon: 12[IKE] received AUTH_LIFETIME of 112s, scheduling reauthentication in 107s Sep 19 16:28:14 bonnie charon: 13[IKE] reestablishing IKE_SA due address change <---------------------------------------- ???? Sep 19 16:28:14 bonnie charon: 13[IKE] IKE_SA 'bonnie_psk_clyde' state change: ESTABLISHED => DELETING Sep 19 16:28:14 bonnie charon: 13[ENC] generating INFORMATIONAL request 2 [ D ] Sep 19 16:28:14 bonnie charon: 13[NET] sending packet: from 9.11.237.60[500] to 9.11.237.67[500] Sep 19 16:28:14 bonnie charon: 14[NET] received packet: from 9.11.237.67[500] to 9.11.237.60[500] Sep 19 16:28:14 bonnie charon: 14[ENC] parsed INFORMATIONAL response 2 [ ] Sep 19 16:28:14 bonnie charon: 14[AUD] initiating IKE_SA 'bonnie_psk_clyde' to 9.11.237.67 Sep 19 16:28:14 bonnie charon: 14[AUD] initiating IKE_SA 'bonnie_psk_clyde' to 9.11.237.67 Sep 19 16:28:14 bonnie charon: 14[IKE] IKE_SA 'bonnie_psk_clyde' state change: CREATED => CONNECTING Sep 19 16:28:14 bonnie charon: 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_D_IP) N(NATD_S_IP) ] Sep 19 16:28:14 bonnie charon: 14[NET] sending packet: from 9.11.237.60[500] to 9.11.237.67[500] Sep 19 16:28:15 bonnie charon: 04[NET] received packet: from 9.11.237.67[500] to 9.11.237.60[500] Sep 19 16:28:15 bonnie charon: 04[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Sep 19 16:28:15 bonnie charon: 04[IKE] authentication of '9.11.237.60' (myself) with pre-shared key Sep 19 16:28:15 bonnie charon: 04[AUD] establishing CHILD_SA Sep 19 16:28:15 bonnie charon: 04[AUD] establishing CHILD_SA Sep 19 16:28:15 bonnie charon: 04[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr ] Sep 19 16:28:15 bonnie charon: 04[NET] sending packet: from 9.11.237.60[500] to 9.11.237.67[500] Sep 19 16:28:15 bonnie charon: 05[IKE] reestablishing IKE_SA due address change ... IKE_SA keeps cycling from CREATED=>CONNECTING=>ESTABLISHED=>DELETING=>CREATED... When I typed "type=transport" or make the same configuration between hosts that are not under same gateway, the connection could be established normally. I have some knowledge that transport mode required IPSec AH/ESP headers be integrated into IP while tunnel mode encapsulated the whole original IP datagram then add a new IP header, but I still have no idea why in tunnel mode the messages log will display "reestablishing IKE_SA due address change". Is it working as design? And could you explain how the address has been changed? Thanks a lot. Best regards, Xudong
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
