Dear all, I'm testing strongswan-5.7.1 on a Linux Ubuntu-16.04 server to support GRE-over-IPSEC tunnels with remote peers, the public address of which may change from time to time. I thus use 'dynamic[gre]' traffic selector and transport mode tunnels. When the remote peer address changes, strongswan correctly processes the XFRM_MSG_MAPPING message, and updates the xfrm SA and SP in the Linux kernel, except the traffic selector. This results in XfrmInStateMismatch errors when receiving packets from the remote peers. I've attached the swanctl.conf and the charon logs.
Is it a known issue? Or did I miss something? Before changing the remote peer address, remote address is 2.2.2.254 root@ubuntu-xenial:/ivoctl/vagrant# swanctl -l dc_lan2: #1, ESTABLISHED, IKEv2, 17f7b73e0a357e0d_i 2136e2e04936ce5e_r* local 'dc' @ 192.168.2.1[4500] remote 'lan2' @ 2.2.2.254[4500] AES_GCM_16-256/PRF_HMAC_SHA2_384/ECP_384 established 439s ago lan2_dc: #1, reqid 1, INSTALLED, TRANSPORT-in-UDP, ESP:AES_GCM_16-256 installed 439s ago in c5dd4c0b, 38544 bytes, 438 packets, 0s ago out c4361bc0, 38544 bytes, 438 packets, 0s ago local 192.168.2.1/32[gre] remote 2.2.2.254/32[gre] root@ubuntu-xenial:/ivoctl/vagrant# ip -s x s l src 192.168.2.1 dst 2.2.2.254 proto esp spi 0xc4361bc0(3291880384) reqid 1(0x00000001) mode transport replay-window 0 seq 0x00000000 flag (0x00000000) aead rfc4106(gcm(aes)) 0x2db3e71cf4ee4d1600ff0b173b2480573b1ad30a3c3b8bd4b47f2d7cbb7fbfb5c41e3e6d (288 bits) 128 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x1be, bitmap 0x00000000 sel src 192.168.2.1/32 dst 2.2.2.254/32 uid 0 lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 39248(bytes), 446(packets) add 2018-10-31 13:31:09 use 2018-10-31 13:31:10 stats: replay-window 0 replay 0 failed 0 src 2.2.2.254 dst 192.168.2.1 proto esp spi 0xc5dd4c0b(3319614475) reqid 1(0x00000001) mode transport replay-window 0 seq 0x00000000 flag (0x00000000) aead rfc4106(gcm(aes)) 0x66973d4ffe9290d89a4e5ad49c820daf586d4e4a8d745d81ef77f13177620036614c6da3 (288 bits) 128 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay esn context: seq-hi 0x0, seq 0x1be, oseq-hi 0x0, oseq 0x0 replay_window 128, bitmap-length 4 ffffffff ffffffff ffffffff ffffffff sel src 2.2.2.254/32 dst 192.168.2.1/32 uid 0 lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 39248(bytes), 446(packets) add 2018-10-31 13:31:09 use 2018-10-31 13:31:10 stats: replay-window 0 replay 0 failed 0 After changing the address from 2.2.2.254 to 2.2.2.222, everything is updated, except the SA selector: root@ubuntu-xenial:/ivoctl/vagrant# swanctl -l dc_lan2: #1, ESTABLISHED, IKEv2, 17f7b73e0a357e0d_i 2136e2e04936ce5e_r* local 'dc' @ 192.168.2.1[4500] remote 'lan2' @ 2.2.2.222[4500] AES_GCM_16-256/PRF_HMAC_SHA2_384/ECP_384 established 529s ago lan2_dc: #1, reqid 1, INSTALLED, TRANSPORT-in-UDP, ESP:AES_GCM_16-256 installed 529s ago in c5dd4c0b, 45848 bytes, 521 packets, 58s ago out c4361bc0, 42504 bytes, 483 packets, 38s ago local 192.168.2.1/32[gre] remote 2.2.2.222/32[gre] root@ubuntu-xenial:/ivoctl/vagrant# ip -s x s l src 192.168.2.1 dst 2.2.2.222 proto esp spi 0xc4361bc0(3291880384) reqid 1(0x00000001) mode transport replay-window 0 seq 0x00000000 flag (0x00000000) aead rfc4106(gcm(aes)) 0x2db3e71cf4ee4d1600ff0b173b2480573b1ad30a3c3b8bd4b47f2d7cbb7fbfb5c41e3e6d (288 bits) 128 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x1e3, bitmap 0x00000000 *sel src 192.168.2.1/32 <http://192.168.2.1/32> dst 2.2.2.254/32 <http://2.2.2.254/32> uid 0* lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 42504(bytes), 483(packets) add 2018-10-31 13:31:09 use 2018-10-31 13:31:10 stats: replay-window 0 replay 0 failed 0 src 2.2.2.222 dst 192.168.2.1 proto esp spi 0xc5dd4c0b(3319614475) reqid 1(0x00000001) mode transport replay-window 0 seq 0x00000010 flag (0x00000000) aead rfc4106(gcm(aes)) 0x66973d4ffe9290d89a4e5ad49c820daf586d4e4a8d745d81ef77f13177620036614c6da3 (288 bits) 128 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay esn context: seq-hi 0x0, seq 0x210, oseq-hi 0x0, oseq 0x0 replay_window 128, bitmap-length 4 ffffffff ffffffff ffffffff ffffffff *sel src 2.2.2.254/32 <http://2.2.2.254/32> dst 192.168.2.1/32 <http://192.168.2.1/32> uid 0* lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 46464(bytes), 528(packets) add 2018-10-31 13:31:09 use 2018-10-31 13:31:10 stats: replay-window 0 replay 0 failed 0 Best regards, Fred.
charon.log
Description: Binary data
swanctl.conf
Description: Binary data