[strongSwan] IKE_SA reauth failed with dual link.

Alexis Salinas Tue, 15 Jul 2014 00:49:33 -0700

Hello all, 

I have 2 gateways running "Linux strongSwan U4.3.5/K2.6.32-526" configured for 
IKEv2, net-to-net with MOBIKE enabled.


Gateway-A, the initiator, has 2 links. Gateway-B the responder, has only one 
link. These are the IP addresses.
gateway-A_link1 = 172.19.78.72
gateway-A_link2 = 10.5.102.102
gateway-B_link1 = 192.168.10.10

Gateway-A uses both links, alternatively, as "default link" (depending of its 
location). MOBIKE works beautifully when switching links. Gateway-A can only 
reach gateway-B using the default route.

The problem I'm observing is that if IKE_SA is established on one of 
gateway-A's link and the link switches  before IKE_REAUTH starts, StrongSwan 
tries (and fails) to initiate the new IKE_SA using the IP address of the 
initial link. 

It doesn't matter which link starts, it happens regarding of the direction of 
the link switch. 

I also tested another machine in place of gateway-A, running Linux strongSwan 
U5.1.2/K3.4.11-527, with the same result.

Here is an example. The tunnel initially established while gateway-A_link2 was 
the default route. Default route changed at around 16:00, making 
gateway-A_link1 the default route.

Jul  7 16:22:34 gateway-A charon: 09[IKE] queueing IKE_REAUTH task
Jul  7 16:22:34 gateway-A charon: 09[IKE] activating new tasks
Jul  7 16:22:34 gateway-A charon: 09[IKE]   activating IKE_REAUTH task
Jul  7 16:22:34 gateway-A charon: 09[IKE] deleting IKE_SA Net-Net[1] between 
172.19.78.72[gateway-A]...192.168.10.10[gateway-B]
Jul  7 16:22:34 gateway-A charon: 09[IKE] IKE_SA Net-Net[1] state change: 
ESTABLISHED => DELETING
Jul  7 16:22:34 gateway-A charon: 09[IKE] sending DELETE for IKE_SA Net-Net[1]
Jul  7 16:22:34 gateway-A charon: 09[NET] sending packet: from 
172.19.78.72[4500] to 192.168.10.10[4500]
Jul  7 16:22:34 gateway-A charon: 05[NET] sending packet: from 
172.19.78.72[4500] to 192.168.10.10[4500]
Jul  7 16:22:34 gateway-A charon: 06[NET] received packet: from 
192.168.10.10[4500] to 172.19.78.72[4500]
Jul  7 16:22:34 gateway-A charon: 06[NET] waiting for data on raw sockets
Jul  7 16:22:34 gateway-A charon: 08[NET] received packet: from 
192.168.10.10[4500] to 172.19.78.72[4500]
Jul  7 16:22:34 gateway-A charon: 08[IKE] IKE_SA deleted
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing IKE_INIT task
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing IKE_NATD task
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing IKE_CERT_PRE task
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing IKE_AUTHENTICATE task
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing IKE_CERT_POST task
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing IKE_CONFIG task
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing IKE_AUTH_LIFETIME task
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing IKE_MOBIKE task
Jul  7 16:22:34 gateway-A charon: 08[IKE] queueing CHILD_CREATE task
Jul  7 16:22:34 gateway-A charon: 08[IKE] activating new tasks
Jul  7 16:22:34 gateway-A charon: 08[IKE]   activating IKE_INIT task
Jul  7 16:22:34 gateway-A charon: 08[IKE]   activating IKE_NATD task
Jul  7 16:22:34 gateway-A charon: 08[IKE]   activating IKE_CERT_PRE task
Jul  7 16:22:34 gateway-A charon: 08[IKE]   activating IKE_AUTHENTICATE task
Jul  7 16:22:35 gateway-A charon: 08[IKE]   activating IKE_CERT_POST task
Jul  7 16:22:35 gateway-A charon: 08[IKE]   activating IKE_CONFIG task
Jul  7 16:22:35 gateway-A charon: 08[IKE]   activating CHILD_CREATE task
Jul  7 16:22:35 gateway-A charon: 08[IKE]   activating IKE_AUTH_LIFETIME task
Jul  7 16:22:35 gateway-A charon: 08[IKE]   activating IKE_MOBIKE task
Jul  7 16:22:35 gateway-A charon: 08[IKE] initiating IKE_SA Net-Net[2] to 
192.168.10.10
Jul  7 16:22:35 gateway-A charon: 08[IKE] IKE_SA Net-Net[2] state change: 
CREATED => CONNECTING
Jul  7 16:22:35 gateway-A charon: 08[NET] sending packet: from 
10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:22:35 gateway-A charon: 05[NET] sending packet: from 
10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:22:35 gateway-A charon: 05[NET] error writing to socket: Operation 
not permitted
Jul  7 16:22:35 gateway-A charon: 08[IKE] queueing CHILD_CREATE task
Jul  7 16:22:35 gateway-A charon: 08[IKE] delaying task initiation, exchange in 
progress
Jul  7 16:22:35 gateway-A charon: 08[IKE] IKE_SA Net-Net[1] state change: 
DELETING => DESTROYING
Jul  7 16:22:39 gateway-A charon: 08[IKE] retransmit 1 of request with message 
ID 0
Jul  7 16:22:39 gateway-A charon: 08[NET] sending packet: from 
10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:22:39 gateway-A charon: 05[NET] sending packet: from 
10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:22:39 gateway-A charon: 05[NET] error writing to socket: Operation 
not permitted
Jul  7 16:22:46 gateway-A charon: 09[IKE] retransmit 2 of request with message 
ID 0
Jul  7 16:22:46 gateway-A charon: 09[NET] sending packet: from 
10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:22:46 gateway-A charon: 05[NET] sending packet: from 
10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:22:46 gateway-A charon: 05[NET] error writing to socket: Operation 
not permitted
Jul  7 16:22:59 gateway-A charon: 09[IKE] retransmit 3 of request with message 
ID 0
Jul  7 16:22:59 gateway-A charon: 09[NET] sending packet: from 
10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:22:59 gateway-A charon: 05[NET] sending packet: from 
10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:22:59 gateway-A charon: 05[NET] error writing to socket: Operation 
not permitted
Jul  7 16:23:22 gateway-A charon: 09[IKE] retransmit 4 of request with message 
ID 0
Jul  7 16:23:22 gateway-A charon: 09[NET] sending packet: from 
10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:23:22 gateway-A charon: 05[NET] sending packet: from 
10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:23:22 gateway-A charon: 05[NET] error writing to socket: Operation 
not permitted
Jul  7 16:24:04 gateway-A charon: 08[IKE] retransmit 5 of request with message 
ID 0
Jul  7 16:24:04 gateway-A charon: 08[NET] sending packet: from 
10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:24:04 gateway-A charon: 05[NET] sending packet: from 
10.5.102.102[500] to 192.168.10.10[500]
Jul  7 16:24:04 gateway-A charon: 05[NET] error writing to socket: Operation 
not permitted
Jul  7 16:24:42 gateway-A charon: 01[IKE] destroying IKE_SA in state CONNECTING 
without notification
Jul  7 16:24:42 gateway-A charon: 01[IKE] IKE_SA Net-Net[2] state change: 
CONNECTING => DESTROYING
Jul  7 16:24:44 gateway-A charon: 06[NET] waiting for data on raw sockets

Is this a known problem? Is there a setting I can use to correct this 
behaviour, r work around it? How does charon figure out which of the 2 links it 
uses to start the new IKE_SA?

Thank in advanced for you help.
Alexis.
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] IKE_SA reauth failed with dual link.

Reply via email to