[Swan] IPSEC SA replace also replaces ISAKMP SA

Paul Wouters paul at nohats.ca
Wed Apr 6 12:30:38 UTC 2016 

Do you still see this with 3.17? That version has a fix for shared IKE connections such as aliases that you are using.

If you do, can you send me a Pluto log offlist?

Paul

Sent from my iPhone

> On Apr 5, 2016, at 06:34, Marc Ledent <marc.ledent at homesend.com> wrote:
> 
> Hi all,
>  
> Sorry to bother you with this, but this issue is quite blocking for us. Is somebody can help us on this?
>  
> Regards,
> Marc
>  
> From: Marc Ledent 
> Sent: jeudi 31 mars 2016 15:13
> To: 'swan at lists.libreswan.org' <swan at lists.libreswan.org>
> Subject: IPSEC SA replace also replaces ISAKMP SA
>  
> Hi all,
>  
> We have a strange behaviour on one of our tunnels.
>  
> On this tunnel, when the IPSEC SA is coming to expiration, it is replaced WITH the ISAKMP SA, but WITHOUT deleting this latter, which leads to an increasing number of “to be replaced” ISAKMP SA.
>  
> I made some searches on the internet but without results…
>  
>  
> The config:
>  
> 000 "conn_name/1x1": 0.0.0.0/0===XXXX<XXXXXXXX>...YYYYYYYY<YYYYYYYYY>===0.0.0.0/0; erouted; eroute owner: #595
> 000 "conn_name/1x1":     oriented; my_ip=unset; their_ip=unset; myup=/etc/ipsec.d/conn_name-vpn.sh
> 000 "conn_name/1x1":   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]
> 000 "conn_name/1x1":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
> 000 "conn_name/1x1":   labeled_ipsec:no;
> 000 "conn_name/1x1":   policy_label:unset;
> 000 "conn_name/1x1":   ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
> 000 "conn_name/1x1":   retransmit-interval: 500ms; retransmit-timeout: 60s;
> 000 "conn_name/1x1":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;
> 000 "conn_name/1x1":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW;
> 000 "conn_name/1x1":   conn_prio: 0,0; interface: ens225; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: 10/0xffffffff;
> 000 "conn_name/1x1":   newest ISAKMP SA: #594; newest IPsec SA: #595;
> 000 "conn_name/1x1":   aliases: conn_name
> 000 "conn_name/1x1":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP2048(14), AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2)
> 000 "conn_name/1x1":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
> 000 "conn_name/1x1":   IKEv2 algorithm newest: AES_CBC_128-AUTH_HMAC_SHA1_96-PRF_HMAC_SHA1-MODP2048
> 000 "conn_name/1x1":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP2048(14)
> 000 "conn_name/1x1":   ESP algorithms loaded: AES(12)_128-SHA1(2)_000
>  
> # active SAs
> 000 #595: "conn_name/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 1890s; newest IPSEC; eroute owner; isakmp#594; idle; import:respond to stranger
> 000 #595: "conn_name/1x1" esp.ca572b92 at 80.84.22.51 esp.f6b62d0 at 64.94.187.67 tun.0 at 80.84.22.51 tun.0 at 64.94.187.67 ref=0 refhim=4294901761 Traffic: ESPin=3MB ESPout=5MB! ESPmax=0B
> 000 #594: "conn_name/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 27026s; newest ISAKMP; isakmp#0; idle; import:respond to stranger
> 000 #594: "conn_name/1x1" ref=0 refhim=0 Traffic:
>  
> # “dead” SAs
> 000 #392: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 798s; isakmp#0; idle; import:respond to stranger
> 000 #392: "bics/1x1" ref=0 refhim=0 Traffic:
> 000 #414: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 3672s; isakmp#0; idle; import:respond to stranger
> 000 #414: "bics/1x1" ref=0 refhim=0 Traffic:
> 000 #551: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 21212s; isakmp#0; idle; import:respond to stranger
> 000 #551: "bics/1x1" ref=0 refhim=0 Traffic:
>  
>  
> Any ideas?
>  
> Regards,
> Marc
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160406/e036a7ee/attachment.html>

More information about the Swan mailing list