[strongSwan] [IKEv2 Mobike] error uninstalling route installed with policy

amysue.z Thu, 21 Aug 2014 06:16:44 -0700

Hi all,

I'm using strongswan to do IKEv2 Mobike. The ipsec.conf is


*config setup*
*    strictcrlpolicy=no*
*   # charonstart=yes*
*   # plutostart=no*

*conn %default*
*    ikelifetime=28800s*
*    keylife=28800s*
*    rekeymargin=3m*
*    keyingtries=3*
*    keyexchange=ikev2*
*    ike=3des-sha1-modp1024*
*    esp=3des-sha1*

*conn client*
*    #left=%any*
*    #left=%defaultroute*
*    left=12.12.1.201*
*    leftsourceip=%config*
*    leftcert=client1_cert.pem*
*    leftid="/C=CN/ST=SH/O=SNWL/CN=IKEv2_Client1"*
*    right=11.11.11.200*
*    rightid="/C=CN/ST=SH/O=SNWL/CN=11.11.11.200"*
*    rightsubnet=192.168.168.0/24 <http://192.168.168.0/24>*
*    auto=add*

left side is a CentOS 5.9 pc, right side is a SonicWall box which support
IKEv2 Mobike.
PC has two interface.
eth1 ip is 12.12.1.201
eth2 ip is 12.12.2.202
SonicWall box wan ip is 11.11.11.200

First PC-eth1 connect to the SonicWall box and get a dynamic ip address
from SonicWall box 172.16.1.20, ping to right subnet 192.168.168.2  pass
The ipsec status is
*Security Associations (1 up, 0 connecting):*
*      client[8]: ESTABLISHED 31 seconds ago, 12.12.1.201[C=CN, ST=SH,
O=SNWL, CN=IKEv2_Client1]...11.11.11.200[C=CN, ST=SH, O=SNWL,
CN=11.11.11.200]*
*      client{8}:  INSTALLED, TUNNEL, ESP SPIs: c6fd4979_i c183bc8c_o*
*      client{8}:   172.16.1.20/32 <http://172.16.1.20/32> ===
192.168.168.0/24 <http://192.168.168.0/24> *

The I ifconfig eth1 down, ifup eth2, the detailed commands is
ifup eth2
route add -net 11.11.11.0 netmask 255.255.255.0 gw 12.12.2.101
ifconfig eth1 down

The check ipsec status
*Security Associations (1 up, 0 connecting):*
*      client[12]: ESTABLISHED 8 minutes ago, 12.12.2.202[C=CN, ST=SH,
O=SNWL, CN=IKEv2_Client1]...11.11.11.200[C=CN, ST=SH, O=SNWL,
CN=11.11.11.200]*
*      client{12}:  INSTALLED, TUNNEL, ESP SPIs: c84ed7a1_i 0dbbeb51_o*
*      client{12}:   172.16.1.20/32 <http://172.16.1.20/32> ===
192.168.168.0/24 <http://192.168.168.0/24>*

The left side ip has changed from 12.12.1.201 to 12.12.2.202.
But ping to right subnet 192.168.168.2 fail.
I don't konw why ping to right subnet fail. it should be pass.

The charon log is below. There are log I have marked to red. Is this error
cause ping fail?*error uninstalling route installed with policy
192.168.168.0/24 <http://192.168.168.0/24> === 172.16.1.20/32
<http://172.16.1.20/32> fwd*


*Aug 21 18:29:39 03[IKE] initiating IKE_SA client[12] to 11.11.11.200*
*Aug 21 18:29:39 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]*
*Aug 21 18:29:39 03[NET] sending packet: from 12.12.1.201[500] to
11.11.11.200[500] (536 bytes)*
*Aug 21 18:29:39 02[NET] received packet: from 11.11.11.200[500] to
12.12.1.201[500] (337 bytes)*
*Aug 21 18:29:39 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ
N(NATD_S_IP) N(NATD_D_IP) V ]*
*Aug 21 18:29:39 02[ENC] received unknown vendor ID:
2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01*
*Aug 21 18:29:39 02[IKE] received cert request for "C=CN, ST=SH, O=SNWL,
CN=ROOTCA"*
*Aug 21 18:29:39 02[IKE] sending cert request for "C=CN, ST=SH, O=SNWL,
CN=ROOTCA"*
*Aug 21 18:29:39 02[IKE] authentication of 'C=CN, ST=SH, O=SNWL,
CN=IKEv2_Client1' (myself) with RSA signature successful*
*Aug 21 18:29:39 02[IKE] sending end entity cert "C=CN, ST=SH, O=SNWL,
CN=IKEv2_Client1"*
*Aug 21 18:29:39 02[IKE] establishing CHILD_SA client*
*Aug 21 18:29:39 02[ENC] generating IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ IDr AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(EAP_ONLY) ]*
*Aug 21 18:29:39 02[NET] sending packet: from 12.12.1.201[4500] to
11.11.11.200[4500] (1188 bytes)*
*Aug 21 18:29:39 10[NET] received packet: from 11.11.11.200[4500] to
12.12.1.201[4500] (988 bytes)*
*Aug 21 18:29:39 10[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR
DNS) SA TSi TSr N(MOBIKE_SUP) ]*
*Aug 21 18:29:39 10[IKE] received end entity cert "C=CN, ST=SH, O=SNWL,
CN=11.11.11.200"*
*Aug 21 18:29:39 10[CFG]   using certificate "C=CN, ST=SH, O=SNWL,
CN=11.11.11.200"*
*Aug 21 18:29:39 10[CFG]   using trusted ca certificate "C=CN, ST=SH,
O=SNWL, CN=ROOTCA"*
*Aug 21 18:29:39 10[CFG] checking certificate status of "C=CN, ST=SH,
O=SNWL, CN=11.11.11.200"*
*Aug 21 18:29:39 10[CFG] certificate status is not available*
*Aug 21 18:29:39 10[CFG]   reached self-signed root ca with a path length
of 0*
*Aug 21 18:29:39 10[IKE] authentication of 'C=CN, ST=SH, O=SNWL,
CN=11.11.11.200' with RSA signature successful*
*Aug 21 18:29:39 10[IKE] IKE_SA client[12] established between
12.12.1.201[C=CN, ST=SH, O=SNWL, CN=IKEv2_Client1]...11.11.11.200[C=CN,
ST=SH, O=SNWL, CN=11.11.11.200]*
*Aug 21 18:29:39 10[IKE] scheduling reauthentication in 28502s*
*Aug 21 18:29:39 10[IKE] maximum IKE_SA lifetime 28682s*
*Aug 21 18:29:39 10[IKE] installing DNS server 11.11.11.111 to
/etc/resolv.conf*
*Aug 21 18:29:39 10[IKE] installing new virtual IP 172.16.1.20*
*Aug 21 18:29:39 10[IKE] CHILD_SA client{12} established with SPIs
c84ed7a1_i 0dbbeb51_o and TS 172.16.1.20/32 <http://172.16.1.20/32> ===
192.168.168.0/24 <http://192.168.168.0/24>*
*Aug 21 18:29:39 10[IKE] peer supports MOBIKE*
*Aug 21 18:29:56 07[KNL] interface eth2 activated*
*Aug 21 18:29:56 04[IKE] sending address list update using MOBIKE*
*Aug 21 18:29:56 04[ENC] generating INFORMATIONAL request 2 [ N(ADD_4_ADDR)
]*
*Aug 21 18:29:56 04[NET] sending packet: from 12.12.1.201[4500] to
11.11.11.200[4500] (68 bytes)*
*Aug 21 18:29:56 11[NET] received packet: from 11.11.11.200[4500] to
12.12.1.201[4500] (60 bytes)*
*Aug 21 18:29:56 11[ENC] parsed INFORMATIONAL response 2 [ ]*
*Aug 21 18:29:57 08[KNL] 12.12.2.202 appeared on eth2*
*Aug 21 18:29:57 02[IKE] sending address list update using MOBIKE*
*Aug 21 18:29:57 02[ENC] generating INFORMATIONAL request 3 [ N(ADD_4_ADDR)
N(ADD_4_ADDR) ]*
*Aug 21 18:29:57 02[NET] sending packet: from 12.12.1.201[4500] to
11.11.11.200[4500] (84 bytes)*
*Aug 21 18:29:57 05[NET] received packet: from 11.11.11.200[4500] to
12.12.1.201[4500] (60 bytes)*
*Aug 21 18:29:57 05[ENC] parsed INFORMATIONAL response 3 [ ]*
*Aug 21 18:30:19 09[KNL] interface eth1 deactivated*
*Aug 21 18:30:19 06[IKE] old path is not available anymore, try to find
another*
*Aug 21 18:30:19 06[IKE] looking for a route to 11.11.11.200 ...*
*Aug 21 18:30:19 06[IKE] requesting address change using MOBIKE*
*Aug 21 18:30:19 06[ENC] generating INFORMATIONAL request 4 [ ]*
*Aug 21 18:30:19 06[IKE] checking path 12.12.2.202[4500] -
11.11.11.200[4500]*
*Aug 21 18:30:19 06[NET] sending packet: from 12.12.2.202[4500] to
11.11.11.200[4500] (60 bytes)*
*Aug 21 18:30:19 05[NET] received packet: from 11.11.11.200[4500] to
12.12.2.202[4500] (60 bytes)*
*Aug 21 18:30:19 05[ENC] parsed INFORMATIONAL response 4 [ ]*
*Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry
with SPI c84ed7a1*
*Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry
with SPI 0dbbeb51*
*Aug 21 18:30:19 05[KNL] error uninstalling route installed with policy
192.168.168.0/24 <http://192.168.168.0/24> === 172.16.1.20/32
<http://172.16.1.20/32> fwd*
*Aug 21 18:30:19 05[NET] sending packet: from 12.12.2.202[4500] to
11.11.11.200[4500] (156 bytes)*
*Aug 21 18:30:19 09[NET] received packet: from 11.11.11.200[4500] to
12.12.2.202[4500] (140 bytes)*
*Aug 21 18:30:19 09[ENC] parsed INFORMATIONAL response 5 [ N(NATD_S_IP)
N(NATD_D_IP) N(COOKIE2) ]*


Thanks
Amy

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] [IKEv2 Mobike] error uninstalling route installed with policy

Reply via email to