Re: [strongSwan] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 in (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists

Tue, 10 Mar 2015 06:39:58 -0700 

On Sam, 2015-03-07 at 21:52 +0000, Tormod Macleod wrote:
> Hello,
>  
> I'm getting the above error when rekeying. I think it might be related to 
> issue #431? I've tried the workaround of setting reauth=no but this did not 
> resolve the issue. I have only started running into this since we started 
> using more than one subnet in the left side of the connection.
>  
> If no traffic goes between 10.130.0.0/16 === 192.168.0.0/16 and that tunnel 
> is never brought up the other tunnel will remain up and rekey without any 
> problem. However, as soon as traffic goes between 10.130.0.0/16 === 
> 192.168.0.0/16 the next rekey fails and both tunnels are brought down. If I 
> wait a few seconds and then send traffic from the right the tunnel(s) will 
> come back up but traffic from the left never re-establishes either tunnel. 
> Here's the log

>           leftsubnet=10.176.0.0/13,10.130.0.0/16
>           leftid=1.1.1.1
>           leftfirewall=yes
>           right=2.2.2.2
>           rightsubnet=192.168.0.0/16
>           rightid=2.2.2.2
>           auto=start
>           ike=aes128-md5-modp1536
>           esp=aes128-sha1
>           reauth=no
> 
>  
> Here's the log entry from the device on the right (Cisco ASA 9.1(3))
>  
> Mar  4 17:01:19 [10.1.1.12.2.2] Mar 04 2015 17:01:19 Iona-VPN-FW : 
> %ASA-4-113019: Group = 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session 
> disconnected. Session Type: LAN-to-LAN, Duration: 0h:58m:34s, Bytes xmt: 
> 2479, Bytes rcv: 5233, Reason: Lost Service
>  
> This is the status just prior to rekeying
>  
> Wed Mar  4 16:58:12 GMT 2015
> Status of IKE charon daemon (strongSwan 5.2.2, Linux 
> 2.6.32-504.8.1.el6.x86_64, x86_64):
>   uptime: 55 minutes, since Mar 04 16:02:59 2015
>   malloc: sbrk 270336, mmap 0, used 215968, free 54368
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
> scheduled: 3
>   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem 
> fips-pr
> f gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown 
> xauth-generic unity
> Listening IP addresses:
>   10.180.0.12
> Connections:
>  Iona-VPN-FW:  10.180.0.12...2.2.2.2  IKEv2
>  Iona-VPN-FW:   local:  [1.1.1.1] uses pre-shared key authentication
>  Iona-VPN-FW:   remote: [2.2.2.2] uses pre-shared key authentication
>  Iona-VPN-FW:   child:  10.176.0.0/13 10.130.0.0/16 === 192.168.0.0/16 TUNNEL
> Security Associations (1 up, 0 connecting):
>  Iona-VPN-FW[1]: ESTABLISHED 55 minutes ago, 
> 10.180.0.12[1.1.1.1]...2.2.2.2[2.2.2.2]
>  Iona-VPN-FW[1]: IKEv2 SPIs: 550d0c34bc66ce4e_i* da285a283fb7a4d1_r, rekeying 
> in 23 hours
>  Iona-VPN-FW[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536
>  Iona-VPN-FW{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: ccb6a085_i ad93852a_o
>  Iona-VPN-FW{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 360 bytes_o (9 pkts, 
> 2965s ago), rekeying in 33 seconds
>  Iona-VPN-FW{1}:   10.176.0.0/13 === 192.168.0.0/16
>  Iona-VPN-FW{2}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c01ce92f_i 0a7d4641_o
>  Iona-VPN-FW{2}:  AES_CBC_128/HMAC_SHA1_96, 2479 bytes_i (17 pkts, 3272s 
> ago), 4873 bytes_o (15 pkts, 3272s ago), rekeying in 2 seconds
>  Iona-VPN-FW{2}:   10.130.0.0/16 === 192.168.0.0/16
>  
> Shortly afterwards it's like this
>  
> Wed Mar  4 16:58:42 GMT 2015
> Status of IKE charon daemon (strongSwan 5.2.2, Linux 
> 2.6.32-504.8.1.el6.x86_64, x86_64):
>   uptime: 55 minutes, since Mar 04 16:02:58 2015
>   malloc: sbrk 270336, mmap 0, used 216192, free 54144
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
> scheduled: 4
>   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem 
> fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke 
> updown xauth-generic unity
> Listening IP addresses:
>   10.180.0.12
> Connections:
>  Iona-VPN-FW:  10.180.0.12...2.2.2.2  IKEv2
>  Iona-VPN-FW:   local:  [1.1.1.1] uses pre-shared key authentication
>  Iona-VPN-FW:   remote: [2.2.2.2] uses pre-shared key authentication
>  Iona-VPN-FW:   child:  10.176.0.0/13 10.130.0.0/16 === 192.168.0.0/16 TUNNEL
> Security Associations (1 up, 0 connecting):
>  Iona-VPN-FW[1]: ESTABLISHED 55 minutes ago, 
> 10.180.0.12[1.1.1.1]...2.2.2.2[2.2.2.2]
>  Iona-VPN-FW[1]: IKEv2 SPIs: 550d0c34bc66ce4e_i* da285a283fb7a4d1_r, rekeying 
> in 22 hours
>  Iona-VPN-FW[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536
>  Iona-VPN-FW[1]: Tasks queued: CHILD_REKEY
>  Iona-VPN-FW[1]: Tasks active: CHILD_REKEY
>  Iona-VPN-FW{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: ccb6a085_i ad93852a_o
>  Iona-VPN-FW{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 360 bytes_o (9 pkts, 
> 2996s ago), rekeying in 2 seconds
>  Iona-VPN-FW{1}:   10.176.0.0/13 === 192.168.0.0/16
>  Iona-VPN-FW{2}:  REKEYING, TUNNEL, expires in 4 minutes
>  Iona-VPN-FW{2}:   10.130.0.0/16 === 192.168.0.0/16
> 
>  
> This is the status immediately before the tunnel is torn down
>  
> Wed Mar  4 17:00:59 GMT 2015
> Status of IKE charon daemon (strongSwan 5.2.2, Linux 
> 2.6.32-504.8.1.el6.x86_64, x86_64):
>   uptime: 58 minutes, since Mar 04 16:02:59 2015
>   malloc: sbrk 270336, mmap 0, used 215968, free 54368
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
> scheduled: 4
>   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem 
> fips-pr
> f gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown 
> xauth-generic unity
> Listening IP addresses:
>   10.180.0.12
> Connections:
>  Iona-VPN-FW:  10.180.0.12...2.2.2.2  IKEv2
>  Iona-VPN-FW:   local:  [1.1.1.1] uses pre-shared key authentication
>  Iona-VPN-FW:   remote: [2.2.2.2] uses pre-shared key authentication
>  Iona-VPN-FW:   child:  10.176.0.0/13 10.130.0.0/16 === 192.168.0.0/16 TUNNEL
> Security Associations (1 up, 0 connecting):
>  Iona-VPN-FW[1]: ESTABLISHED 58 minutes ago, 
> 10.180.0.12[1.1.1.1]...2.2.2.2[2.2.2.2]
>  Iona-VPN-FW[1]: IKEv2 SPIs: 550d0c34bc66ce4e_i* da285a283fb7a4d1_r, rekeying 
> in 22 hours
>  Iona-VPN-FW[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536
>  Iona-VPN-FW[1]: Tasks queued: CHILD_REKEY CHILD_REKEY CHILD_REKEY
>  Iona-VPN-FW[1]: Tasks active: CHILD_REKEY
>  Iona-VPN-FW{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: ccb6a085_i ad93852a_o
>  Iona-VPN-FW{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 360 bytes_o (9 pkts, 
> 3133s ago), rekeying active
>  Iona-VPN-FW{1}:   10.176.0.0/13 === 192.168.0.0/16
>  Iona-VPN-FW{2}:  REKEYING, TUNNEL, expires in 2 minutes
>  Iona-VPN-FW{2}:   10.130.0.0/16 === 192.168.0.0/16
> 
>  
> And seconds later once it has been torn down
>  
> Wed Mar  4 17:00:59 GMT 2015
> Status of IKE charon daemon (strongSwan 5.2.2, Linux 
> 2.6.32-504.8.1.el6.x86_64, x86_64):
>   uptime: 58 minutes, since Mar 04 16:02:58 2015
>   malloc: sbrk 270336, mmap 0, used 208768, free 61568
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
> scheduled: 3
>   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem 
> fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke 
> updown xauth-generic unity
> Listening IP addresses:
>   10.180.0.12
> Connections:
>  Iona-VPN-FW:  10.180.0.12...2.2.2.2  IKEv2
>  Iona-VPN-FW:   local:  [1.1.1.1] uses pre-shared key authentication
>  Iona-VPN-FW:   remote: [2.2.2.2] uses pre-shared key authentication
>  Iona-VPN-FW:   child:  10.176.0.0/13 10.130.0.0/16 === 192.168.0.0/16 TUNNEL
> Security Associations (0 up, 0 connecting):
>   none
>  
> Feedback welcome.
>  
> 
> Tormod
>  
> 
> 
> 
> Please consider the environment before printing this email
> 
> *********************************************************************
>   This e-mail and any attachments are confidential.  If it is not for you, 
> please inform us and delete it immediately without disclosing, copying, or 
> distributing it.  If the content is not about the business of PayWizard Group 
> PLC or its clients, then it is neither from nor sanctioned by PayWizard Group 
> PLC.  Use of this or any other PayWizard Group PLC e-mail facility signifies 
> consent to interception by PayWizard Group PLC.  The views expressed in this 
> email or any attachments may not reflect the views and opinions of PayWizard 
> Group PLC.  This message has been scanned for viruses and dangerous content 
> by MailScanner, but PayWizard Group PLC accepts no liability for any damage 
> caused by the transmission of any viruses.  PayWizard Group PLC is a public 
> limited company registered in Scotland (SC175703) with its registered office 
> at Cluny Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ.  
> ********************************************************************
> 
> _______________________________________________
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to