[Swan] ipsec tunnel connections not setup for over 200 connections

Balaji Meenakshisundaram -X (bameenak - HCL TECHNOLOGIES LIMITED at Cisco) bameenak at cisco.com
Sat Aug 5 10:48:04 UTC 2017 

Hi-

I have installed libreswan 3.15 (3.15-7.3.el6) in a Centos 6.8 (based on kernel 2.6.32-642.15.1.el6.x86_64) and Red Hat Linux 6.7 (2.6.32-696.6.3.el6.x86_64).
ipsec Tunnel is set up using certificates.

In our deployment scenario, Host 1 has multiple sub-interfaces and for each sub-interface we have a virtual device associated.
I manage these virtual devices from Host 2 thru ipsec tunnel.

I am able to see tunnel established between host1 and host2.

When I attempt to import data for over 200 devices so that tunnel connections get established,
I am observing the following log messages in ipsec log file-

Aug  4 21:46:02: packet from 15.1.1.91:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug  4 21:46:02: | find_host_connection me=10.78.29.212:500 him=15.1.1.91:500 policy=IKEV1_ALLOW
Aug  4 21:46:02: | find_host_pair_conn (find_host_connection): 10.78.29.212:500 15.1.1.91:500 -> hp:none
Aug  4 21:46:02: packet from 15.1.1.91:500: initial Main Mode message received on 10.78.29.212:500 but no connection has been authorized with policy RSASIG+IKEV1_ALLOW
Aug  4 21:46:03: | *received 184 bytes from 15.1.1.91:500 on eth0 (port=500)
Aug  4 21:46:03: packet from 15.1.1.91:500: received Vendor ID payload [Dead Peer Detection]
Aug  4 21:46:03: packet from 15.1.1.91:500: received Vendor ID payload [FRAGMENTATION]
Aug  4 21:46:03: packet from 15.1.1.91:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug  4 21:46:03: packet from 15.1.1.91:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug  4 21:46:03: packet from 15.1.1.91:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug  4 21:46:03: | find_host_connection me=10.78.29.212:500 him=15.1.1.91:500 policy=IKEV1_ALLOW
Aug  4 21:46:03: | find_host_pair_conn (find_host_connection): 10.78.29.212:500 15.1.1.91:500 -> hp:none
Aug  4 21:46:03: packet from 15.1.1.91:500: initial Main Mode message received on 10.78.29.212:500 but no connection has been authorized with policy RSASIG+IKEV1_ALLOW
Aug  4 21:46:03: | *received 184 bytes from 15.1.1.91:500 on eth0 (port=500)
Aug  4 21:46:03: packet from 15.1.1.91:500: received Vendor ID payload [Dead Peer Detection]
Aug  4 21:46:03: packet from 15.1.1.91:500: received Vendor ID payload [FRAGMENTATION]

and...Tunnel does not get setup....
packet from 15.1.1.91:500: initial Main Mode message received on 10.78.29.212:500 but no connection has been authorized with policy RSASIG+IKEV1_ALLOW

I attempted searching for the above in the ipsec mail threads but could not locate why this message is seen.

As mentioned, this message is not observed when the numbers of virtual devices that is getting managed is 200. Tunnel connections are also fine in that case.

Following are the connection sections for from the ipsec configuration file-

[root at host1]/etc/ipsec.d/policies# grep include /etc/ipsec.conf
          # Note: "crypt" is not included with "all", as it can show confidential
include /etc/ipsec.d/*.conf
[root at host1]/etc/ipsec.d/policies#

[root at Host2]/etc/ipsec.d# cat pi.secrets
: RSA "user1"
[root at host1]/etc/ipsec.d#

Extract from ipsec conf file in Host 1-

conn snmp_15.1.1.91
    type=transport
    ike=aes256-sha1;modp2048
    phase2alg=aes256-sha1;modp2048
    authby=rsasig
    ike-frag=yes
    nat-ikev1-method=drafts
    auto=start
    keyingtries=%forever
    dpdaction=restart
    dpddelay=86400
    dpdtimeout=86400
# left side configuration
    leftid=%fromcert
    left=15.1.1.91
    leftprotoport=udp/161
    leftcert="user1"
    leftrsasigkey=%cert
    leftsendcert=always

#right configuration - PI
    rightid="C=in, ST=nd, L=noi, O=abc, OU=def, CN=host2.company.com"
    right=10.78.29.212
    rightprotoport=udp
    rightrsasigkey=%cert
    rightsendcert=always

Extract from ipsec conf file in Host 2 that gets generated automatically after Tunnel establishment-
conn Device_snmp_15.1.1.1
    type=transport
    ike=aes256-sha1;modp2048
    phase2alg=aes256-sha1;modp2048
    authby=rsasig
    ike-frag=yes
    nat-ikev1-method=drafts
    auto=start
    keyingtries=%forever
    dpdaction=restart
    forceencaps=yes
# left configuration - server
    leftid=%fromcert
    left=10.78.29.212
    leftprotoport=udp
    leftcert="tomcat"
    leftrsasigkey=%cert
    leftsendcert=always
#right configuration - device
    rightid="C=in, ST=nd, L=noi, O=abc, OU=def, CN=host1.company.com, E=user1 at company.com"
    right=15.1.1.91
    rightprotoport=udp/161
    rightrsasigkey=%cert
    rightsendcert=always

We have exact replica of above sections for SNMP trap also.

Could someone please clarify why we are observing failed tunnel setup with this configuration when the numbers of virtual devices is above 200 ?
Is there any issue with the above ipsec configuration ?

Regards,
Bala
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170805/abec3576/attachment-0001.html>

More information about the Swan mailing list