Alright, found it. Please verify that it's the actual ipsec.conf that is loaded because there also aren't any errors regarding config files logged. What happens when you run "ipsec update" or "ipsec reload" from the terminal?
Kind regards Noel Am 12.05.21 um 01:09 schrieb Noel Kuntze:
Okay, what's your complete ipsec.conf? Can you send it? Kind regards Noel Am 12.05.21 um 00:54 schrieb Karuna Sagar Krishna:Attaching full charon logs. Can you help with the ipsec.conf interface. I'll plan to switch to swanctl going forward, but currently this is blocking our releases. --karuna On Tue, May 11, 2021 at 2:54 PM Noel Kuntze <[email protected]> wrote: Hi, Full logs please, as shown on the HelpRequests[1] page on the wiki. Also, it's strongly recommended to use swanctl instead if possible. That's the better configuration backend. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests <https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests> Am 11.05.21 um 23:50 schrieb Karuna Sagar Krishna: > Hi, > > I'm setting up a IPSec connection between a bunch of Ubuntu 18.04 LTS nodes. I'm using Strongswan (Linux strongSwan U5.6.2/K5.4.0-1046-azure) on the Ubuntu nodes. The number of nodes is dynamic i.e. there are frequent scale out/ins. So the ipsec.conf file (see attached) is updated with additional conn sections and `sudo ipsec update` is used to reload the config file. However, I've noticed intermittent network connectivity issues and the syslog shows -> "no IKE config found for 10.0.0.14...10.0.0.18, sending NO_PROPOSAL_CHOSEN". Clearly, the ipsec status shows that the daemon has not reloaded the config irrespective of issuing `sudo ipsec update` multiple times. > > Can you help understand why the config is not updated and how to fix this issue? > > > > IPSec status: > ----------------- > > > sudo ipsec statusall > > Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1046-azure, x86_64): > uptime: 45 minutes, since May 11 20:42:07 2021 > malloc: sbrk 2703360, mmap 0, used 778800, free 1924560 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2 > loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters > Listening IP addresses: > 10.0.0.14 > Connections: > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: 10.0.0.14...10.0.0.15 IKEv2 > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: local: [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <http://IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>] uses public key authentication > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: cert: "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <http://IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>" > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: remote: [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <http://IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>] uses public key authentication > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: cert: "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <http://IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>" > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: child: dynamic === dynamic TRANSPORT > hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: 10.0.0.14...10.0.0.14 IKEv2 > hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: local: [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <http://IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>] uses public key authentication > hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: cert: "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <http://IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>" > hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: remote: [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <http://IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>] uses public key authentication > hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: cert: "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <http://IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>" > hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: child: dynamic === dynamic TRANSPORT > /*Routed Connections: > hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{2}: ROUTED, TRANSPORT, reqid 2 > hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{2}: 10.0.0.14/32 <http://10.0.0.14/32> <http://10.0.0.14/32 <http://10.0.0.14/32>> === 10.0.0.14/32 <http://10.0.0.14/32> <http://10.0.0.14/32 <http://10.0.0.14/32>> > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{1}: ROUTED, TRANSPORT, reqid 1 > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{1}: 10.0.0.14/32 <http://10.0.0.14/32> <http://10.0.0.14/32 <http://10.0.0.14/32>> === 10.0.0.15/32 <http://10.0.0.15/32> <http://10.0.0.15/32 <http://10.0.0.15/32>>*/ > Security Associations (1 up, 0 connecting): > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>[11]: ESTABLISHED 26 minutes ago, 10.0.0.14[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <http://IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>]...10.0.0.15[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <http://IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>] > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>[11]: IKEv2 SPIs: 1536ce9853bef399_i c00b62dfefa5f4ce_r*, public key reauthentication in 7 hours > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>[11]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{3}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c73ba254_i c0ffd04a_o > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{3}: AES_CBC_256/HMAC_SHA2_256_128, 44961 bytes_i (822 pkts, 0s ago), 193357 bytes_o (570 pkts, 1557s ago), rekeying in 7 hours > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{3}: 10.0.0.14/32 <http://10.0.0.14/32> <http://10.0.0.14/32 <http://10.0.0.14/32>> === 10.0.0.15/32 <http://10.0.0.15/32> <http://10.0.0.15/32 <http://10.0.0.15/32>> > > > Charon logs: > ----------------- > > May 11 21:23:20 hn1-kkafka charon: 09[NET] received packet: from 10.0.0.18[500] to 10.0.0.14[500] (536 bytes) > May 11 21:23:20 hn1-kkafka charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] > May 11 21:23:20 hn1-kkafka charon: 09[IKE] /*no IKE config found for 10.0.0.14...10.0.0.18, sending NO_PROPOSAL_CHOSEN*/ > May 11 21:23:20 hn1-kkafka charon: 09[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ] > May 11 21:23:20 hn1-kkafka charon: 09[NET] sending packet: from 10.0.0.14[500] to 10.0.0.18[500] (36 bytes) > > --karuna >
OpenPGP_signature
Description: OpenPGP digital signature
