[Swan] SELinux labeled ipsec

Jeff Becker jeffrey.c.becker at nasa.gov
Wed Feb 8 17:45:54 UTC 2017 

On 02/07/2017 05:30 PM, Paul Wouters wrote:
> On Tue, 7 Feb 2017, Jeff Becker wrote:
> Could this be the problem?
>> #grep errno /var/log/secure
>> Feb  7 23:20:15 dtn1 pluto[4320]: "dtsd-tunnel" #1: ERROR: netlink 
>> response for Del SA esp.71664063 at 198.9.7.198 included errno 3: No 
>> such process
>
> That shows an IPsec SA that it expected to be there to be deleted was
> not there.  That is odd, and I would expect to see an earlier message
> about a problem?

The following sequence repeats several times in /var/log/secure. It does 
look like an SA is being deleted after several failed retransmits.

-jeff

Feb  8 17:40:07 dtn1 pluto[4320]: "dtsd-tunnel" #71: initiating Quick 
Mode 
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
{using isakmp#70 msgid:89f15846 proposal=defaults 
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb  8 17:40:07 dtn1 pluto[4320]: "dtsd-tunnel" #71: transition from 
state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb  8 17:40:07 dtn1 pluto[4320]: "dtsd-tunnel" #71: STATE_QUICK_I2: 
sent QI2, IPsec SA established tunnel mode {ESP=>0x695041fd <0xbcdcc26c 
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}
Feb  8 17:40:08 dtn1 pluto[4320]: "dtsd-tunnel" #71: retransmitting in 
response to duplicate packet; already STATE_QUICK_I2
Feb  8 17:40:08 dtn1 pluto[4320]: "dtsd-tunnel" #71: retransmitting in 
response to duplicate packet; already STATE_QUICK_I2
Feb  8 17:40:09 dtn1 pluto[4320]: "dtsd-tunnel" #71: discarding 
duplicate packet -- exhausted retransmission; already STATE_QUICK_I2
Feb  8 17:40:11 dtn1 pluto[4320]: "dtsd-tunnel" #71: discarding 
duplicate packet -- exhausted retransmission; already STATE_QUICK_I2
Feb  8 17:40:15 dtn1 pluto[4320]: "dtsd-tunnel" #71: discarding 
duplicate packet -- exhausted retransmission; already STATE_QUICK_I2
Feb  8 17:40:23 dtn1 pluto[4320]: "dtsd-tunnel" #71: discarding 
duplicate packet -- exhausted retransmission; already STATE_QUICK_I2
Feb  8 17:40:39 dtn1 pluto[4320]: "dtsd-tunnel" #71: discarding 
duplicate packet -- exhausted retransmission; already STATE_QUICK_I2
Feb  8 17:41:11 dtn1 pluto[4320]: "dtsd-tunnel" #70: received Delete SA 
payload: replace IPSEC State #71 in 25ms, letting old IPsec SA linger 
for 20 seconds
Feb  8 17:41:11 dtn1 pluto[4320]: "dtsd-tunnel" #70: received and 
ignored empty informational notification payload


>
> Paul

More information about the Swan mailing list