[Swan-dev] Bogus "established IKE SA" messages

Paul Wouters paul at nohats.ca
Mon Apr 5 23:03:15 UTC 2021


Eg see this log:

Apr  5 18:56:32.909849: "west" #4: sent CREATE_CHILD_SA request to rekey IPsec SA
Apr  5 18:56:32.917812: "west" #4: rekeyed #3 STATE_V2_REKEY_CHILD_I1 and expire it remaining life 28774.21038s
Apr  5 18:56:32.917920: "west" #4: negotiated connection [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0]
Apr  5 18:56:32.917928: "west" #4: IPsec SA established tunnel mode {ESP=>0x19ae6dab <0x0ec6e523 xfrm=AES_GCM_16_256-NONE-MODP2048 NATOA=none NATD=none DPD=passive}
Apr  5 18:56:33.918801: "west" #3: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) aged 26.826433s and sending notification
Apr  5 18:56:33.918917: "west" #3: ESP traffic information: in=1KB out=1KB
Apr  5 18:56:33.921937: "west" #1: received delete request for IKEv2_SEC_PROTO_ESP SA(0xfe024578) but corresponding state not found
Apr  5 18:56:33.922055: "west" #1: established IKE SA
Apr  5 18:56:46.640199: "west" #1: received Delete SA payload: replace CHILD SA #4 now
Apr  5 18:56:46.640351: "west" #1: established IKE SA

The only event here was a CREATE_CHILD_SA for a Child SA. it should not
print those "established IKE SA" messages.

Also, I wonder if we should keep a recent list of deleted IPsec and
IKE SPI's, so when we get a delete response for something we have just
deleted, we don't show a weird "not found" error.

Paul


More information about the Swan-dev mailing list