[Swan] IPSec IKE SA "leakage" with 3.18-git

Reuben Farrelly reuben-libreswan at reub.net
Mon Oct 3 07:28:11 UTC 2016


Hi,

Looks like there is a leakage with SA's not being cleaned up properly 
with the latest -git code.  I am still running VTI's - so this could be 
a part of the problem.

At the moment the connection is not operational, however typically after 
a restart of pluto it will all re-establish again and work fine for a 
period of time.

On my client side Cisco router:

router-2#show crypto ikev2 sa
  IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf 
   Status
1         10.102.51.162/500     139.162.51.249/500    none/none 
   IN-NEG
       Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth 
sign: Unknown - 0, Auth verify: Unknown - 0
       Life/Active Time: 86400/0 sec

Tunnel-id Local                 Remote                fvrf/ivrf 
   Status
5         10.102.51.162/4500    139.162.51.249/4500   none/none 
   IN-NEG
       Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:5, 
Auth sign: PSK, Auth verify: Unknown - 0
       Life/Active Time: 86400/0 sec

  IPv6 Crypto IKEv2  SA

router-2#

Detailed:

router-2#show crypto ikev2 sa detailed
  IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf 
   Status
2         10.102.51.162/4500    139.162.51.249/4500   none/none 
   IN-NEG
       Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:5, 
Auth sign: PSK, Auth verify: Unknown - 0
       Life/Active Time: 86400/0 sec
       CE id: 2702, Session-id: 0
       Status Description: Initiator waiting for AUTH response
       Local spi: 397847DBDD8FC442       Remote spi: D6B734438E83914A
       Local id: router-2 at reub.net

Status of "Initiator waiting for AUTH response" is probably important here.

Incidentally I am not sure quite why we would want to listen for IPsec 
connections on the vti interfaces themselves.  Is that intentional?

On the libreswan side:

lightning ~ # ipsec status
000 using kernel interface: netkey
000 interface eth0/eth0 2400:8901:e001:3a::23 at 500
000 interface lo/lo ::1 at 500
000 interface eth0/eth0 2400:8901:e001:3a::22 at 500
000 interface eth0/eth0 2400:8901::f03c:91ff:fe6e:9dc at 500
000 interface eth0/eth0 2400:8901:e001:3a::21 at 500
000 interface eth0/eth0 2400:8901:e001:3a::20 at 500
000 interface lo/lo 127.0.0.1 at 4500
000 interface lo/lo 127.0.0.1 at 500
000 interface eth0/eth0 139.162.51.249 at 4500
000 interface eth0/eth0 139.162.51.249 at 500
000 interface vti-1/vti-1 192.168.6.1 at 4500
000 interface vti-1/vti-1 192.168.6.1 at 500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, 
secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, nssdir=/etc/ipsec.d, 
dumpdir=/var/run/pluto/, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 
pluto_version=v3.18-224-gc641972-c6419723fe1138c3d7d052a12f284e95adda1aa9, 
pluto_vendorid=OE-Libreswan-v3.18-224
000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s, 
xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, 
nflog-all=0
000 secctx-attr-type=<unsupported>
000 myid = (none)
000 debug none
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 
25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, 
keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, 
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, 
keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, 
keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, 
keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, 
keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, 
keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, 
v2name=AES_CCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, 
v2name=AES_CCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, 
v2name=AES_CCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, 
v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, v2id=24, 
v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, 
v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20, 
v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19, 
v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18, 
v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, 
v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, 
v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, 
v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, 
v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, 
v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "router-2.reub.net": 
0.0.0.0/0===139.162.51.249<139.162.51.249>[@lightning.reub.net]...%any[router-2 at reub.net]===0.0.0.0/0; 
unrouted; eroute owner: #0
000 "router-2.reub.net":     oriented; my_ip=unset; their_ip=unset
000 "router-2.reub.net":   xauth us:none, xauth them:none, 
my_username=[any]; their_username=[any]
000 "router-2.reub.net":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "router-2.reub.net":   labeled_ipsec:no;
000 "router-2.reub.net":   policy_label:unset;
000 "router-2.reub.net":   ike_life: 86400s; ipsec_life: 3600s; 
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "router-2.reub.net":   retransmit-interval: 500ms; 
retransmit-timeout: 60s;
000 "router-2.reub.net":   sha2-truncbug:no; initial-contact:no; 
cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "router-2.reub.net":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "router-2.reub.net":   conn_prio: 0,0; interface: eth0; metric: 0; 
mtu: unset; sa_prio:auto; sa_tfc:none;
000 "router-2.reub.net":   nflog-group: unset; mark: 12/0x00ffffff, 
12/0x00ffffff; vti-iface:vti-1; vti-routing:no; vti-shared:no;
000 "router-2.reub.net":   dpd: action:clear; delay:15; timeout:45; 
nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "router-2.reub.net":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "router-2.reub.net":   IKE algorithms wanted: 
AES_CBC(7)_256-SHA1(2)-MODP1536(5)
000 "router-2.reub.net":   IKE algorithms found: 
AES_CBC(7)_256-SHA1(2)-MODP1536(5)
000 "router-2.reub.net":   ESP algorithms wanted: AES(12)_128-SHA1(2); 
pfsgroup=MODP1536(5)
000 "router-2.reub.net":   ESP algorithms loaded: AES(12)_128-SHA1(2)
000 "router-2.reub.net"[1]: 
0.0.0.0/0===139.162.51.249<139.162.51.249>[@lightning.reub.net]...1.144.41.171[router-2 at reub.net]===0.0.0.0/0; 
prospective erouted; eroute owner: #0
000 "router-2.reub.net"[1]:     oriented; my_ip=unset; their_ip=unset
000 "router-2.reub.net"[1]:   xauth us:none, xauth them:none, 
my_username=[any]; their_username=[any]
000 "router-2.reub.net"[1]:   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "router-2.reub.net"[1]:   labeled_ipsec:no;
000 "router-2.reub.net"[1]:   policy_label:unset;
000 "router-2.reub.net"[1]:   ike_life: 86400s; ipsec_life: 3600s; 
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "router-2.reub.net"[1]:   retransmit-interval: 500ms; 
retransmit-timeout: 60s;
000 "router-2.reub.net"[1]:   sha2-truncbug:no; initial-contact:no; 
cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "router-2.reub.net"[1]:   policy: 
PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "router-2.reub.net"[1]:   conn_prio: 0,0; interface: eth0; metric: 
0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "router-2.reub.net"[1]:   nflog-group: unset; mark: 12/0x00ffffff, 
12/0x00ffffff; vti-iface:vti-1; vti-routing:no; vti-shared:no;
000 "router-2.reub.net"[1]:   dpd: action:clear; delay:15; timeout:45; 
nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "router-2.reub.net"[1]:   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "router-2.reub.net"[1]:   IKE algorithms wanted: 
AES_CBC(7)_256-SHA1(2)-MODP1536(5)
000 "router-2.reub.net"[1]:   IKE algorithms found: 
AES_CBC(7)_256-SHA1(2)-MODP1536(5)
000 "router-2.reub.net"[1]:   ESP algorithms wanted: 
AES(12)_128-SHA1(2); pfsgroup=MODP1536(5)
000 "router-2.reub.net"[1]:   ESP algorithms loaded: AES(12)_128-SHA1(2)
000 "router-2.reub.net"[2]: 
0.0.0.0/0===139.162.51.249<139.162.51.249>[@lightning.reub.net]...1.144.70.156[router-2 at reub.net]===0.0.0.0/0; 
unrouted; eroute owner: #0
000 "router-2.reub.net"[2]:     oriented; my_ip=unset; their_ip=unset
000 "router-2.reub.net"[2]:   xauth us:none, xauth them:none, 
my_username=[any]; their_username=[any]
000 "router-2.reub.net"[2]:   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "router-2.reub.net"[2]:   labeled_ipsec:no;
000 "router-2.reub.net"[2]:   policy_label:unset;
000 "router-2.reub.net"[2]:   ike_life: 86400s; ipsec_life: 3600s; 
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "router-2.reub.net"[2]:   retransmit-interval: 500ms; 
retransmit-timeout: 60s;
000 "router-2.reub.net"[2]:   sha2-truncbug:no; initial-contact:no; 
cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "router-2.reub.net"[2]:   policy: 
PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "router-2.reub.net"[2]:   conn_prio: 0,0; interface: eth0; metric: 
0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "router-2.reub.net"[2]:   nflog-group: unset; mark: 12/0x00ffffff, 
12/0x00ffffff; vti-iface:vti-1; vti-routing:no; vti-shared:no;
000 "router-2.reub.net"[2]:   dpd: action:clear; delay:15; timeout:45; 
nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "router-2.reub.net"[2]:   newest ISAKMP SA: #9178; newest IPsec SA: #0;
000 "router-2.reub.net"[2]:   IKE algorithms wanted: 
AES_CBC(7)_256-SHA1(2)-MODP1536(5)
000 "router-2.reub.net"[2]:   IKE algorithms found: 
AES_CBC(7)_256-SHA1(2)-MODP1536(5)
000 "router-2.reub.net"[2]:   IKEv2 algorithm newest: 
AES_CBC_256-AUTH_HMAC_SHA1_96-PRF_HMAC_SHA1-MODP1536
000 "router-2.reub.net"[2]:   ESP algorithms wanted: 
AES(12)_128-SHA1(2); pfsgroup=MODP1536(5)
000 "router-2.reub.net"[2]:   ESP algorithms loaded: AES(12)_128-SHA1(2)
000 "v6neighbor-hole-in": 
::/0===::1<::1>:58/34560...%any:58/34816===::/0; prospective erouted; 
eroute owner: #0
000 "v6neighbor-hole-in":     oriented; my_ip=unset; their_ip=unset
000 "v6neighbor-hole-in":   xauth us:none, xauth them:none, 
my_username=[any]; their_username=[any]
000 "v6neighbor-hole-in":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "v6neighbor-hole-in":   labeled_ipsec:no;
000 "v6neighbor-hole-in":   policy_label:unset;
000 "v6neighbor-hole-in":   ike_life: 0s; ipsec_life: 0s; replay_window: 
0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "v6neighbor-hole-in":   retransmit-interval: 0ms; 
retransmit-timeout: 0s;
000 "v6neighbor-hole-in":   sha2-truncbug:no; initial-contact:no; 
cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "v6neighbor-hole-in":   policy: 
PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+PASS+NEVER_NEGOTIATE;
000 "v6neighbor-hole-in":   conn_prio: 0,0; interface: lo; metric: 0; 
mtu: unset; sa_prio:1; sa_tfc:none;
000 "v6neighbor-hole-in":   nflog-group: unset; mark: unset; 
vti-iface:unset; vti-routing:no; vti-shared:no;
000 "v6neighbor-hole-in":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "v6neighbor-hole-out": 
::/0===::1<::1>:58/34816...%any:58/34560===::/0; prospective erouted; 
eroute owner: #0
000 "v6neighbor-hole-out":     oriented; my_ip=unset; their_ip=unset
000 "v6neighbor-hole-out":   xauth us:none, xauth them:none, 
my_username=[any]; their_username=[any]
000 "v6neighbor-hole-out":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "v6neighbor-hole-out":   labeled_ipsec:no;
000 "v6neighbor-hole-out":   policy_label:unset;
000 "v6neighbor-hole-out":   ike_life: 0s; ipsec_life: 0s; 
replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "v6neighbor-hole-out":   retransmit-interval: 0ms; 
retransmit-timeout: 0s;
000 "v6neighbor-hole-out":   sha2-truncbug:no; initial-contact:no; 
cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "v6neighbor-hole-out":   policy: 
PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+PASS+NEVER_NEGOTIATE;
000 "v6neighbor-hole-out":   conn_prio: 0,0; interface: lo; metric: 0; 
mtu: unset; sa_prio:1; sa_tfc:none;
000 "v6neighbor-hole-out":   nflog-group: unset; mark: unset; 
vti-iface:unset; vti-routing:no; vti-shared:no;
000 "v6neighbor-hole-out":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 Total IPsec connections: loaded 5, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE 
connections
000 IKE SAs: total(1810), half-open(5), open(0), authenticated(1805), 
anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 #9183: "router-2.reub.net"[1] 1.144.41.171:500 STATE_PARENT_I1 (sent 
v2I1, expected v2R1); EVENT_v2_RETRANSMIT in 2s; idle; import:respond to 
stranger
000 #9180: "router-2.reub.net"[1] 1.144.41.171:500 STATE_PARENT_I1 (sent 
v2I1, expected v2R1); EVENT_v2_RETRANSMIT in 1s; idle; import:respond to 
stranger
000 #1: "router-2.reub.net"[1] 1.144.41.171:4500 STATE_PARENT_R2 
(received v2I2, PARENT SA established); EVENT_SA_REPLACE in 4543s; 
isakmp#0; idle; import:respond to stranger
000 #1: "router-2.reub.net"[1] 1.144.41.171 ref=0 refhim=0 Traffic:
000 #9181: "router-2.reub.net"[1] 1.144.41.171:500 STATE_PARENT_I1 (sent 
v2I1, expected v2R1); EVENT_v2_RETRANSMIT in 2s; idle; import:respond to 
stranger
000 #9184: "router-2.reub.net"[1] 1.144.41.171:500 STATE_PARENT_I1 (sent 
v2I1, expected v2R1); EVENT_v2_RETRANSMIT in 2s; idle; import:respond to 
stranger
000 #9182: "router-2.reub.net"[1] 1.144.41.171:500 STATE_PARENT_I1 (sent 
v2I1, expected v2R1); EVENT_v2_RETRANSMIT in 2s; idle; import:respond to 
stranger
000 #9178: "router-2.reub.net"[2] 1.144.70.156:4500 STATE_PARENT_R2 
(received v2I2, PARENT SA established); EVENT_SA_REPLACE in 86120s; 
newest ISAKMP; isakmp#0; idle; import:respond to stranger
000 #9178: "router-2.reub.net"[2] 1.144.70.156 ref=0 refhim=0 Traffic:
000 #9052: "router-2.reub.net"[2] 1.144.70.156:4500 STATE_PARENT_R2 
(received v2I2, PARENT SA established); EVENT_SA_REPLACE in 85095s; 
isakmp#0; idle; import:respond to stranger
000 #9052: "router-2.reub.net"[2] 1.144.70.156 ref=0 refhim=0 Traffic:
000 #9045: "router-2.reub.net"[2] 1.144.70.156:4500 STATE_PARENT_R2 
(received v2I2, PARENT SA established); EVENT_SA_REPLACE in 85033s; 
isakmp#0; idle; import:respond to stranger
000 #9045: "router-2.reub.net"[2] 1.144.70.156 ref=0 refhim=0 Traffic:
000 #8789: "router-2.reub.net"[2] 1.144.70.156:4500 STATE_PARENT_R2 
(received v2I2, PARENT SA established); EVENT_SA_REPLACE in 83131s; 
isakmp#0; idle; import:respond to stranger
000 #8789: "router-2.reub.net"[2] 1.144.70.156 ref=0 refhim=0 Traffic:

So there are some 1810 SA's in total - all authenticated but there is 
only one active client (my Cisco router).

At this point there is no connectivity to the client and the link is down.

As the client is on a cellular link that is NATted it seems to be common 
for the SA's to renegotiate frequently, and this normally works 
(although it's not optimal).

After restarting pluto everything looks great again:

000 State Information: DDoS cookies not required, Accepting new IKE 
connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)

Reuben




More information about the Swan mailing list