[strongSwan] route disappears on PPP renegotiation

Mirko Parthey Wed, 09 Nov 2011 09:05:15 -0800

Hello,

I can confirm that my previously reported bug was fixed
(route disappears on IP address change).


However, I found another problem, possibly related, which can be
reproduced as follows with Strongswan 4.6.0:

- setup the test scenario as in ikev2/net2net-cert (ignoring winnetou)
- replace the ethernet link between moon and sun by a serial line,
  run PPP on it with the IP addresses that were previously on ethernet
- start the IPsec tunnel -> route in table 220 is OK
- trigger PPP renegotiation -> route is gone

Charon log: see attachment.

Typescript (some output removed):

root@moon:~# pppd 192.168.0.1:192.168.0.2 passive noauth nodetach persist 
/dev/ttyS1
root@sun:~# pppd noauth nodetach persist /dev/ttyS1

root@moon:~# ipsec up net-net

root@moon:~# ip route ls table 220
10.2.0.0/16 via 192.168.0.2 dev ppp0  proto static  src 10.1.0.1
root@sun:~# ip route ls table 220
10.1.0.0/16 via 192.168.0.1 dev ppp0  proto static  src 10.2.0.1

root@moon:~# killall -HUP pppd
# wait until IP addresses have been renegotiated

root@moon:~# ip route ls table 220
root@sun:~# ip route ls table 220
# the routes in table 220 are now gone

Regards,
Mirko

Nov  9 17:30:12 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 
4.6.0)
Nov  9 17:30:15 moon charon: 00[KNL] listening on interfaces:
Nov  9 17:30:15 moon charon: 00[KNL]   eth1
Nov  9 17:30:15 moon charon: 00[KNL]     10.1.0.1
Nov  9 17:30:15 moon charon: 00[KNL]     fe80::5054:ff:fe71:c0d7
Nov  9 17:30:15 moon charon: 00[CFG] loading ca certificates from 
'/etc/ipsec.d/cacerts'
Nov  9 17:30:15 moon charon: 00[CFG]   loaded ca certificate "C=CH, O=Linux 
strongSwan, CN=strongSwan Root CA" from 
'/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov  9 17:30:15 moon charon: 00[CFG] loading aa certificates from 
'/etc/ipsec.d/aacerts'
Nov  9 17:30:15 moon charon: 00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'
Nov  9 17:30:15 moon charon: 00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'
Nov  9 17:30:15 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov  9 17:30:15 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov  9 17:30:15 moon charon: 00[CFG]   loaded RSA private key from 
'/etc/ipsec.d/private/moonKey.pem'
Nov  9 17:30:15 moon charon: 00[CFG] sql plugin: database URI not set
Nov  9 17:30:15 moon charon: 00[LIB] plugin 'sql': failed to load - 
sql_plugin_create returned NULL
Nov  9 17:30:15 moon charon: 00[CFG] loaded 0 RADIUS server configurations
Nov  9 17:30:15 moon charon: 00[LIB] plugin 'eap-tnc' failed to load: 
/usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so: undefined symbol: tnc
Nov  9 17:30:15 moon charon: 00[LIB] plugin 'medsrv' failed to load: 
/usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file: 
No such file or directory
Nov  9 17:30:15 moon charon: 00[CFG] mediation client database URI not defined, 
skipped
Nov  9 17:30:15 moon charon: 00[LIB] plugin 'medcli': failed to load - 
medcli_plugin_create returned NULL
Nov  9 17:30:15 moon charon: 00[LIB] plugin 'nm' failed to load: 
/usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file: No 
such file or directory
Nov  9 17:30:15 moon charon: 00[CFG] HA config misses local/remote address
Nov  9 17:30:15 moon charon: 00[LIB] plugin 'ha': failed to load - 
ha_plugin_create returned NULL
Nov  9 17:30:15 moon charon: 00[LIB] feature PRF:PRF_CAMELLIA128_XCBC in 'xcbc' 
plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Nov  9 17:30:15 moon charon: 00[LIB] feature SIGNER:CAMELLIA_XCBC_96 in 'xcbc' 
plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Nov  9 17:30:15 moon charon: 00[LIB] feature CRYPTER:CAMELLIA_CTR-16 in 'ctr' 
plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Nov  9 17:30:15 moon charon: 00[LIB] feature CRYPTER:CAMELLIA_CTR-24 in 'ctr' 
plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-24
Nov  9 17:30:15 moon charon: 00[LIB] feature CRYPTER:CAMELLIA_CTR-32 in 'ctr' 
plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-32
Nov  9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_8-16 in 'ccm' 
plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Nov  9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_8-24 in 'ccm' 
plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-24
Nov  9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_8-32 in 'ccm' 
plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-32
Nov  9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_12-16 in 'ccm' 
plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Nov  9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_12-24 in 'ccm' 
plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-24
Nov  9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_12-32 in 'ccm' 
plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-32
Nov  9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_16-16 in 'ccm' 
plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
Nov  9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_16-24 in 'ccm' 
plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-24
Nov  9 17:30:15 moon charon: 00[LIB] feature AEAD:CAMELLIA_CCM_16-32 in 'ccm' 
plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-32
Nov  9 17:30:15 moon charon: 00[DMN] loaded plugins: test-vectors curl ldap 
pkcs11 aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 
pgp pem openssl fips-prf gmp agent xcbc hmac ctr ccm gcm attr kernel-netlink 
resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc 
eap-mschapv2 eap-radius eap-tls eap-ttls dhcp led addrblock 
Nov  9 17:30:15 moon charon: 00[JOB] spawning 16 worker threads
Nov  9 17:30:15 moon charon: 09[CFG] received stroke: add connection 'net-net'
Nov  9 17:30:15 moon charon: 09[KNL] getting interface name for 192.168.0.2
Nov  9 17:30:15 moon charon: 09[KNL] 192.168.0.2 is not a local address
Nov  9 17:30:15 moon charon: 09[KNL] getting interface name for 192.168.0.1
Nov  9 17:30:15 moon charon: 09[KNL] 192.168.0.1 is not a local address
Nov  9 17:30:15 moon charon: 09[CFG] left nor right host is our side, assuming 
left=local
Nov  9 17:30:15 moon charon: 09[CFG]   loaded certificate "C=CH, O=Linux 
strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov  9 17:30:15 moon charon: 09[CFG] added configuration 'net-net'
Nov  9 17:30:24 moon puppet-agent[1585]: Reopening log files
Nov  9 17:30:25 moon puppet-agent[1585]: Starting Puppet client version 2.6.2
Nov  9 17:30:25 moon puppet-agent[1585]: Could not retrieve catalog from remote 
server: getaddrinfo: Name or service not known
Nov  9 17:30:26 moon puppet-agent[1585]: Using cached catalog
Nov  9 17:30:26 moon puppet-agent[1585]: Could not retrieve catalog; skipping 
run
Nov  9 17:31:28 moon charon: 03[KNL] 192.168.0.1 appeared on ppp0
Nov  9 17:31:28 moon charon: 03[KNL] 192.168.0.1 disappeared from ppp0
Nov  9 17:31:28 moon charon: 03[KNL] 192.168.0.1 appeared on ppp0
Nov  9 17:31:28 moon charon: 03[KNL] interface ppp0 activated
Nov  9 17:31:28 moon charon: 10[KNL] creating roam job due to address/link 
change
Nov  9 17:32:03 moon charon: 12[CFG] received stroke: initiate 'net-net'
Nov  9 17:32:03 moon charon: 14[IKE] initiating IKE_SA net-net[1] to 192.168.0.2
Nov  9 17:32:03 moon charon: 14[ENC] generating IKE_SA_INIT request 0 [ SA KE 
No N(NATD_S_IP) N(NATD_D_IP) ]
Nov  9 17:32:03 moon charon: 14[NET] sending packet: from 192.168.0.1[500] to 
192.168.0.2[500]
Nov  9 17:32:03 moon charon: 15[NET] received packet: from 192.168.0.2[500] to 
192.168.0.1[500]
Nov  9 17:32:03 moon charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov  9 17:32:03 moon charon: 15[IKE] received cert request for "C=CH, O=Linux 
strongSwan, CN=strongSwan Root CA"
Nov  9 17:32:03 moon charon: 15[IKE] sending cert request for "C=CH, O=Linux 
strongSwan, CN=strongSwan Root CA"
Nov  9 17:32:03 moon charon: 15[IKE] authentication of 'moon.strongswan.org' 
(myself) with RSA signature successful
Nov  9 17:32:03 moon charon: 15[IKE] sending end entity cert "C=CH, O=Linux 
strongSwan, CN=moon.strongswan.org"
Nov  9 17:32:03 moon charon: 15[IKE] establishing CHILD_SA net-net
Nov  9 17:32:03 moon charon: 15[KNL] getting SPI for reqid {1}
Nov  9 17:32:03 moon charon: 15[KNL] got SPI c8abf7d9 for reqid {1}
Nov  9 17:32:03 moon charon: 15[ENC] generating IKE_AUTH request 1 [ IDi CERT 
N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Nov  9 17:32:03 moon charon: 15[NET] sending packet: from 192.168.0.1[500] to 
192.168.0.2[500]
Nov  9 17:32:04 moon charon: 16[NET] received packet: from 192.168.0.2[500] to 
192.168.0.1[500]
Nov  9 17:32:04 moon charon: 16[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH 
SA TSi TSr N(AUTH_LFT) ]
Nov  9 17:32:04 moon charon: 16[IKE] received end entity cert "C=CH, O=Linux 
strongSwan, CN=sun.strongswan.org"
Nov  9 17:32:04 moon charon: 16[CFG]   using certificate "C=CH, O=Linux 
strongSwan, CN=sun.strongswan.org"
Nov  9 17:32:04 moon charon: 16[CFG]   using trusted ca certificate "C=CH, 
O=Linux strongSwan, CN=strongSwan Root CA"
Nov  9 17:32:04 moon charon: 16[CFG] checking certificate status of "C=CH, 
O=Linux strongSwan, CN=sun.strongswan.org"
Nov  9 17:32:04 moon charon: 16[CFG]   fetching crl from 
'http://crl.strongswan.org/strongswan.crl' ...
Nov  9 17:32:04 moon charon: 16[LIB] libcurl http request failed: couldn't 
connect to host
Nov  9 17:32:04 moon charon: 16[CFG] crl fetching failed
Nov  9 17:32:04 moon charon: 16[CFG] certificate status is not available
Nov  9 17:32:04 moon charon: 16[CFG]   reached self-signed root ca with a path 
length of 0
Nov  9 17:32:04 moon charon: 16[IKE] authentication of 'sun.strongswan.org' 
with RSA signature successful
Nov  9 17:32:04 moon charon: 16[IKE] IKE_SA net-net[1] established between 
192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
Nov  9 17:32:04 moon charon: 16[IKE] scheduling reauthentication in 3293s
Nov  9 17:32:04 moon charon: 16[IKE] maximum IKE_SA lifetime 3473s
Nov  9 17:32:04 moon charon: 16[KNL] adding SAD entry with SPI c8abf7d9 and 
reqid {1}
Nov  9 17:32:04 moon charon: 16[KNL]   using encryption algorithm AES_CBC with 
key size 128
Nov  9 17:32:04 moon charon: 16[KNL]   using integrity algorithm HMAC_SHA1_96 
with key size 160
Nov  9 17:32:04 moon charon: 16[KNL] adding SAD entry with SPI cee815ff and 
reqid {1}
Nov  9 17:32:04 moon charon: 16[KNL]   using encryption algorithm AES_CBC with 
key size 128
Nov  9 17:32:04 moon charon: 16[KNL]   using integrity algorithm HMAC_SHA1_96 
with key size 160
Nov  9 17:32:04 moon charon: 16[KNL] adding policy 10.1.0.0/16 === 10.2.0.0/16 
out
Nov  9 17:32:04 moon charon: 16[KNL] adding policy 10.2.0.0/16 === 10.1.0.0/16 
in
Nov  9 17:32:04 moon charon: 16[KNL] adding policy 10.2.0.0/16 === 10.1.0.0/16 
fwd
Nov  9 17:32:04 moon charon: 16[KNL] getting a local address in traffic 
selector 10.1.0.0/16
Nov  9 17:32:04 moon charon: 16[KNL] using host 10.1.0.1
Nov  9 17:32:04 moon charon: 16[KNL] getting address to reach 192.168.0.2
Nov  9 17:32:04 moon charon: 16[KNL] getting interface name for 192.168.0.1
Nov  9 17:32:04 moon charon: 16[KNL] 192.168.0.1 is on interface ppp0
Nov  9 17:32:04 moon charon: 16[KNL] installing route: 10.2.0.0/16 via 
192.168.0.2 src 10.1.0.1 dev ppp0
Nov  9 17:32:04 moon charon: 16[KNL] getting iface index for ppp0
Nov  9 17:32:04 moon charon: 16[KNL] policy 10.1.0.0/16 === 10.2.0.0/16 out 
already exists, increasing refcount
Nov  9 17:32:04 moon charon: 16[KNL] updating policy 10.1.0.0/16 === 
10.2.0.0/16 out
Nov  9 17:32:04 moon charon: 16[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 in 
already exists, increasing refcount
Nov  9 17:32:04 moon charon: 16[KNL] updating policy 10.2.0.0/16 === 
10.1.0.0/16 in
Nov  9 17:32:04 moon charon: 16[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 fwd 
already exists, increasing refcount
Nov  9 17:32:04 moon charon: 16[KNL] updating policy 10.2.0.0/16 === 
10.1.0.0/16 fwd
Nov  9 17:32:04 moon charon: 16[KNL] getting a local address in traffic 
selector 10.1.0.0/16
Nov  9 17:32:04 moon charon: 16[KNL] using host 10.1.0.1
Nov  9 17:32:04 moon charon: 16[KNL] getting address to reach 192.168.0.2
Nov  9 17:32:04 moon charon: 16[KNL] getting interface name for 192.168.0.1
Nov  9 17:32:04 moon charon: 16[KNL] 192.168.0.1 is on interface ppp0
Nov  9 17:32:04 moon charon: 16[KNL] getting iface index for ppp0
Nov  9 17:32:04 moon charon: 16[IKE] CHILD_SA net-net{1} established with SPIs 
c8abf7d9_i cee815ff_o and TS 10.1.0.0/16 === 10.2.0.0/16 
Nov  9 17:32:04 moon charon: 16[KNL] getting interface name for 192.168.0.1
Nov  9 17:32:04 moon charon: 16[KNL] 192.168.0.1 is on interface ppp0
Nov  9 17:32:04 moon charon: 16[IKE] received AUTH_LIFETIME of 3305s, 
scheduling reauthentication in 3125s
Nov  9 17:32:10 moon charon: 11[KNL] querying SAD entry with SPI c8abf7d9
Nov  9 17:32:10 moon charon: 11[KNL] querying SAD entry with SPI cee815ff
Nov  9 17:32:49 moon charon: 03[KNL] interface ppp0 deactivated
Nov  9 17:32:49 moon charon: 03[KNL] 192.168.0.1 disappeared from ppp0
Nov  9 17:32:49 moon charon: 14[KNL] creating roam job due to address/link 
change
Nov  9 17:32:49 moon charon: 14[KNL] getting address to reach 192.168.0.2
Nov  9 17:32:49 moon charon: 14[IKE] old path is not available anymore, try to 
find another
Nov  9 17:32:49 moon charon: 14[KNL] getting address to reach 192.168.0.2
Nov  9 17:32:49 moon charon: 14[IKE] no route found to reach 192.168.0.2, 
MOBIKE update deferred
Nov  9 17:32:55 moon charon: 03[KNL] 192.168.0.1 appeared on ppp0
Nov  9 17:32:55 moon charon: 03[KNL] 192.168.0.1 disappeared from ppp0
Nov  9 17:32:55 moon charon: 03[KNL] 192.168.0.1 appeared on ppp0
Nov  9 17:32:55 moon charon: 03[KNL] interface ppp0 activated
Nov  9 17:32:55 moon charon: 12[KNL] creating roam job due to address/link 
change
Nov  9 17:32:55 moon charon: 12[KNL] getting address to reach 192.168.0.2

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] route disappears on PPP renegotiation

Reply via email to