[Swan] IPSEC SA replace also replaces ISAKMP SA
Marc Ledent
marc.ledent at homesend.com
Tue Apr 5 09:34:04 UTC 2016
Hi all,
Sorry to bother you with this, but this issue is quite blocking for us. Is somebody can help us on this?
Regards,
Marc
From: Marc Ledent
Sent: jeudi 31 mars 2016 15:13
To: 'swan at lists.libreswan.org' <swan at lists.libreswan.org>
Subject: IPSEC SA replace also replaces ISAKMP SA
Hi all,
We have a strange behaviour on one of our tunnels.
On this tunnel, when the IPSEC SA is coming to expiration, it is replaced WITH the ISAKMP SA, but WITHOUT deleting this latter, which leads to an increasing number of "to be replaced" ISAKMP SA.
I made some searches on the internet but without results...
The config:
000 "conn_name/1x1": 0.0.0.0/0===XXXX<XXXXXXXX>...YYYYYYYY<YYYYYYYYY>===0.0.0.0/0; erouted; eroute owner: #595
000 "conn_name/1x1": oriented; my_ip=unset; their_ip=unset; myup=/etc/ipsec.d/conn_name-vpn.sh
000 "conn_name/1x1": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "conn_name/1x1": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "conn_name/1x1": labeled_ipsec:no;
000 "conn_name/1x1": policy_label:unset;
000 "conn_name/1x1": ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "conn_name/1x1": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "conn_name/1x1": sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;
000 "conn_name/1x1": policy: PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "conn_name/1x1": conn_prio: 0,0; interface: ens225; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: 10/0xffffffff;
000 "conn_name/1x1": newest ISAKMP SA: #594; newest IPsec SA: #595;
000 "conn_name/1x1": aliases: conn_name
000 "conn_name/1x1": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP2048(14), AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2)
000 "conn_name/1x1": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "conn_name/1x1": IKEv2 algorithm newest: AES_CBC_128-AUTH_HMAC_SHA1_96-PRF_HMAC_SHA1-MODP2048
000 "conn_name/1x1": ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP2048(14)
000 "conn_name/1x1": ESP algorithms loaded: AES(12)_128-SHA1(2)_000
# active SAs
000 #595: "conn_name/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 1890s; newest IPSEC; eroute owner; isakmp#594; idle; import:respond to stranger
000 #595: "conn_name/1x1" esp.ca572b92 at 80.84.22.51<mailto:esp.ca572b92 at 80.84.22.51> esp.f6b62d0 at 64.94.187.67<mailto:esp.f6b62d0 at 64.94.187.67> tun.0 at 80.84.22.51<mailto:tun.0 at 80.84.22.51> tun.0 at 64.94.187.67<mailto:tun.0 at 64.94.187.67> ref=0 refhim=4294901761 Traffic: ESPin=3MB ESPout=5MB! ESPmax=0B
000 #594: "conn_name/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 27026s; newest ISAKMP; isakmp#0; idle; import:respond to stranger
000 #594: "conn_name/1x1" ref=0 refhim=0 Traffic:
# "dead" SAs
000 #392: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 798s; isakmp#0; idle; import:respond to stranger
000 #392: "bics/1x1" ref=0 refhim=0 Traffic:
000 #414: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 3672s; isakmp#0; idle; import:respond to stranger
000 #414: "bics/1x1" ref=0 refhim=0 Traffic:
000 #551: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 21212s; isakmp#0; idle; import:respond to stranger
000 #551: "bics/1x1" ref=0 refhim=0 Traffic:
Any ideas?
Regards,
Marc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160405/53136aef/attachment.html>
More information about the Swan
mailing list