[Swan] IPSEC SA replace also replaces ISAKMP SA

Wed Apr 6 12:39:00 UTC 2016

Hi Paul,

Thanks for your reply.
The version we are using is:

# ipsec pluto --version
Libreswan 3.master-201549.git XFRM(netkey) KLIPS NSS DNSSEC FIPS_CHECK LABELED_IPSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)

Regards,
Marc

From: Paul Wouters [mailto:paul at nohats.ca]
Sent: mercredi 6 avril 2016 14:31
To: Marc Ledent <marc.ledent at homesend.com>
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] IPSEC SA replace also replaces ISAKMP SA

Do you still see this with 3.17? That version has a fix for shared IKE connections such as aliases that you are using.

If you do, can you send me a Pluto log offlist?

Paul

Sent from my iPhone

On Apr 5, 2016, at 06:34, Marc Ledent <marc.ledent at homesend.com<mailto:marc.ledent at homesend.com>> wrote:
Hi all,

Sorry to bother you with this, but this issue is quite blocking for us. Is somebody can help us on this?

Regards,
Marc

From: Marc Ledent
Sent: jeudi 31 mars 2016 15:13
To: 'swan at lists.libreswan.org<mailto:swan at lists.libreswan.org>' <swan at lists.libreswan.org<mailto:swan at lists.libreswan.org>>
Subject: IPSEC SA replace also replaces ISAKMP SA

Hi all,

We have a strange behaviour on one of our tunnels.

On this tunnel, when the IPSEC SA is coming to expiration, it is replaced WITH the ISAKMP SA, but WITHOUT deleting this latter, which leads to an increasing number of “to be replaced” ISAKMP SA.

I made some searches on the internet but without results…

The config:

000 "conn_name/1x1": 0.0.0.0/0===XXXX<XXXXXXXX>...YYYYYYYY<YYYYYYYYY>===0.0.0.0/0; erouted; eroute owner: #595
000 "conn_name/1x1":     oriented; my_ip=unset; their_ip=unset; myup=/etc/ipsec.d/conn_name-vpn.sh
000 "conn_name/1x1":   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]
000 "conn_name/1x1":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "conn_name/1x1":   labeled_ipsec:no;
000 "conn_name/1x1":   policy_label:unset;
000 "conn_name/1x1":   ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "conn_name/1x1":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "conn_name/1x1":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;
000 "conn_name/1x1":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "conn_name/1x1":   conn_prio: 0,0; interface: ens225; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: 10/0xffffffff;
000 "conn_name/1x1":   newest ISAKMP SA: #594; newest IPsec SA: #595;
000 "conn_name/1x1":   aliases: conn_name
000 "conn_name/1x1":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP2048(14), AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2)
000 "conn_name/1x1":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "conn_name/1x1":   IKEv2 algorithm newest: AES_CBC_128-AUTH_HMAC_SHA1_96-PRF_HMAC_SHA1-MODP2048
000 "conn_name/1x1":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP2048(14)
000 "conn_name/1x1":   ESP algorithms loaded: AES(12)_128-SHA1(2)_000

# active SAs
000 #595: "conn_name/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 1890s; newest IPSEC; eroute owner; isakmp#594; idle; import:respond to stranger
000 #595: "conn_name/1x1" esp.ca572b92 at 80.84.22.51<mailto:esp.ca572b92 at 80.84.22.51> esp.f6b62d0 at 64.94.187.67<mailto:esp.f6b62d0 at 64.94.187.67> tun.0 at 80.84.22.51<mailto:tun.0 at 80.84.22.51> tun.0 at 64.94.187.67<mailto:tun.0 at 64.94.187.67> ref=0 refhim=4294901761 Traffic: ESPin=3MB ESPout=5MB! ESPmax=0B
000 #594: "conn_name/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 27026s; newest ISAKMP; isakmp#0; idle; import:respond to stranger
000 #594: "conn_name/1x1" ref=0 refhim=0 Traffic:

# “dead” SAs
000 #392: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 798s; isakmp#0; idle; import:respond to stranger
000 #392: "bics/1x1" ref=0 refhim=0 Traffic:
000 #414: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 3672s; isakmp#0; idle; import:respond to stranger
000 #414: "bics/1x1" ref=0 refhim=0 Traffic:
000 #551: "bics/1x1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 21212s; isakmp#0; idle; import:respond to stranger
000 #551: "bics/1x1" ref=0 refhim=0 Traffic:

Any ideas?

Regards,
Marc
_______________________________________________
Swan mailing list
Swan at lists.libreswan.org<mailto:Swan at lists.libreswan.org>
https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160406/35a54316/attachment-0001.html>