[Swan-dev] Bogus "established IKE SA" messages
Andrew Cagney
andrew.cagney at gmail.com
Mon Apr 5 23:46:52 UTC 2021
On Mon, 5 Apr 2021 at 19:03, Paul Wouters <paul at nohats.ca> wrote:
>
> Eg see this log:
>
> Apr 5 18:56:32.909849: "west" #4: sent CREATE_CHILD_SA request to rekey
> IPsec SA
> Apr 5 18:56:32.917812: "west" #4: rekeyed #3 STATE_V2_REKEY_CHILD_I1 and
> expire it remaining life 28774.21038s
> Apr 5 18:56:32.917920: "west" #4: negotiated connection
> [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0]
> Apr 5 18:56:32.917928: "west" #4: IPsec SA established tunnel mode
> {ESP=>0x19ae6dab <0x0ec6e523 xfrm=AES_GCM_16_256-NONE-MODP2048 NATOA=none
> NATD=none DPD=passive}
> Apr 5 18:56:33.918801: "west" #3: deleting state
> (STATE_V2_ESTABLISHED_CHILD_SA) aged 26.826433s and sending notification
> Apr 5 18:56:33.918917: "west" #3: ESP traffic information: in=1KB out=1KB
> Apr 5 18:56:33.921937: "west" #1: received delete request for
> IKEv2_SEC_PROTO_ESP SA(0xfe024578) but corresponding state not found
> Apr 5 18:56:33.922055: "west" #1: established IKE SA
> Apr 5 18:56:46.640199: "west" #1: received Delete SA payload: replace
> CHILD SA #4 now
> Apr 5 18:56:46.640351: "west" #1: established IKE SA
>
> The only event here was a CREATE_CHILD_SA for a Child SA. it should not
> print those "established IKE SA" messages.
>
It's connected to:
* Tell whack and logs our progress - unless OE or a state
* transition we're not telling anyone about, then be quiet.
*
* XXX: This code uses the new state, and not the state
* transition to determine if things established :-(
*
* This should be a bit in the transition!
although the comment is slightly out-of-date. The bit
SMF2_SUPPRESS_SUCCESS_LOG has been added (more are needed). You could try
adding it to this transition:
{ .story = "Informational Request",
.state = STATE_V2_ESTABLISHED_IKE_SA,
.next_state = STATE_V2_ESTABLISHED_IKE_SA,
.send = MESSAGE_RESPONSE,
.req_clear_payloads = P(SK),
.opt_enc_payloads = P(N) | P(D) | P(CP),
.processor = process_encrypted_informational_ikev2,
.recv_role = MESSAGE_REQUEST,
.recv_type = ISAKMP_v2_INFORMATIONAL,
.timeout_event = EVENT_RETAIN, },
> Also, I wonder if we should keep a recent list of deleted IPsec and
> IKE SPI's, so when we get a delete response for something we have just
> deleted, we don't show a weird "not found" error.
>
>
As in two delete requests crossing in the night?
Could this be from the delete code being a little too aggressive - deleting
the incoming channel before the delete response has been received?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210405/4008fcd6/attachment-0001.html>
More information about the Swan-dev
mailing list