Hi, We are using Strongswan 5.5.3 and VICI python library to program IPSEC tunnels.
We use load_conn/unload_conn api's to configure/delete a tunnel from strongswan respectively. This problem arises when we try to unload a tunnel which is in CONNECTING state. On issuing unload_conn, connection is getting deleted(verified using swanctl -list-conns). But SA continue to exist and charon retries to establish the tunnel(verified using swanctl -list-sas). Ideally we expect the SA to get deleted after unload. Please find attached python script that we used to simulated the problem. The destination used in the script(10.10.10.1) is not a reachable host. So tunnel is in connecting state. In this sate, after calling unload_conn, connection is getting deleted. But SA exists. Please suggest a way to overcome from this problem. Note: 1. We tried calling Terminate api before calling unload. Even that didnt help. We ended in the same behavior(Can be seen from the logs attached (python_output.txt)) 2. This problem is not seen on tunnels which are in established state. Unload_conn delete's connection and SA's properly. Thanks Vignesh
load.py
Description: load.py
Apr 04 00:50:52 charon[920]: 08[CFG] added vici connection: vv Apr 04 00:50:52 charon[920]: 08[CFG] initiating 'vv' Apr 04 00:50:52 charon[920]: 08[IKE] initiating Aggressive Mode IKE_SA vv[1] to 10.10.10.1 Apr 04 00:50:52 charon[920]: 08[IKE] initiating Aggressive Mode IKE_SA vv[1] to 10.10.10.1 Apr 04 00:50:52 charon[920]: 08[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] Apr 04 00:50:52 charon[920]: 08[NET] sending packet: from 10.155.3.2[500] to 10.10.10.1[500] (368 bytes) Apr 04 00:50:52 charon[920]: 04[NET] error writing to socket: Invalid argument Apr 04 00:50:56 charon[920]: 13[IKE] sending retransmit 1 of request message ID 0, seq 1 Apr 04 00:50:56 charon[920]: 13[NET] sending packet: from 10.155.3.2[500] to 10.10.10.1[500] (368 bytes) Apr 04 00:50:56 charon[920]: 04[NET] error writing to socket: Invalid argument Apr 04 00:51:03 charon[920]: 07[IKE] sending retransmit 2 of request message ID 0, seq 1 Apr 04 00:51:03 charon[920]: 07[NET] sending packet: from 10.155.3.2[500] to 10.10.10.1[500] (368 bytes) Apr 04 00:51:03 charon[920]: 04[NET] error writing to socket: Invalid argument
pod#strongswan start Starting weakSwan 5.5.3 IPsec [starter]... pod#>python2.7 load.py ===================Load start ========================= List of conn after loading: OrderedDict([(u'vv', OrderedDict([(u'local_addrs', ['10.155.3.2']), (u'remote_addrs', ['10.10.10.1']), (u'version', 'IKEv1'), (u'reauth_time', '0'), (u'rekey_time', '14400'), (u'unique', 'UNIQUE_NO'), (u'local-1', OrderedDict([(u'class', 'pre-shared key'), (u'id', 'priyank+site'), (u'groups', []), (u'certs', []), (u'cacerts', [])])), (u'remote-1', OrderedDict([(u'class', 'pre-shared key'), (u'id', '10.10.10.1'), (u'groups', []), (u'certs', []), (u'cacerts', [])])), (u'children', OrderedDict([(u'vv', OrderedDict([(u'mode', 'TUNNEL'), (u'rekey_time', '14400'), (u'rekey_bytes', '0'), (u'rekey_packets', '0'), (u'local-ts', ['dynamic']), (u'remote-ts', ['dynamic'])]))]))]))]) List of valid sas after loading: OrderedDict([(u'vv', OrderedDict([(u'uniqueid', '1'), (u'version', '1'), (u'state', 'CONNECTING'), (u'local-host', '10.155.3.2'), (u'local-port', '500'), (u'local-id', 'priyank+site'), (u'remote-host', '10.10.10.1'), (u'remote-port', '500'), (u'remote-id', '%any'), (u'initiator', 'yes'), (u'initiator-spi', '7cd4247ef787618d'), (u'responder-spi', '0000000000000000'), (u'tasks-queued', ['QUICK_MODE']), (u'tasks-active', ['ISAKMP_VENDOR', 'ISAKMP_CERT_PRE', 'AGGRESSIVE_MODE', 'ISAKMP_CERT_POST', 'ISAKMP_NATD']), (u'child-sas', OrderedDict())]))]) ===================Load end =========================== ===================Terminate Start ============================= List of conn after unload: List of sas after unload: OrderedDict([(u'vv', OrderedDict([(u'uniqueid', '1'), (u'version', '1'), (u'state', 'CONNECTING'), (u'local-host', '10.155.3.2'), (u'local-port', '500'), (u'local-id', 'priyank+site'), (u'remote-host', '10.10.10.1'), (u'remote-port', '500'), (u'remote-id', '%any'), (u'initiator', 'yes'), (u'initiator-spi', '7cd4247ef787618d'), (u'responder-spi', '0000000000000000'), (u'tasks-queued', ['QUICK_MODE']), (u'tasks-active', ['ISAKMP_VENDOR', 'ISAKMP_CERT_PRE', 'AGGRESSIVE_MODE', 'ISAKMP_CERT_POST', 'ISAKMP_NATD']), (u'child-sas', OrderedDict())]))]) ===================Terminate End =============================
