[Swan] ipsec tunnel connections not setup for over 200 connections
Balaji Meenakshisundaram -X (bameenak - HCL TECHNOLOGIES LIMITED at Cisco)
bameenak at cisco.com
Sat Aug 5 10:48:04 UTC 2017
Hi-
I have installed libreswan 3.15 (3.15-7.3.el6) in a Centos 6.8 (based on kernel 2.6.32-642.15.1.el6.x86_64) and Red Hat Linux 6.7 (2.6.32-696.6.3.el6.x86_64).
ipsec Tunnel is set up using certificates.
In our deployment scenario, Host 1 has multiple sub-interfaces and for each sub-interface we have a virtual device associated.
I manage these virtual devices from Host 2 thru ipsec tunnel.
I am able to see tunnel established between host1 and host2.
When I attempt to import data for over 200 devices so that tunnel connections get established,
I am observing the following log messages in ipsec log file-
Aug 4 21:46:02: packet from 15.1.1.91:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 4 21:46:02: | find_host_connection me=10.78.29.212:500 him=15.1.1.91:500 policy=IKEV1_ALLOW
Aug 4 21:46:02: | find_host_pair_conn (find_host_connection): 10.78.29.212:500 15.1.1.91:500 -> hp:none
Aug 4 21:46:02: packet from 15.1.1.91:500: initial Main Mode message received on 10.78.29.212:500 but no connection has been authorized with policy RSASIG+IKEV1_ALLOW
Aug 4 21:46:03: | *received 184 bytes from 15.1.1.91:500 on eth0 (port=500)
Aug 4 21:46:03: packet from 15.1.1.91:500: received Vendor ID payload [Dead Peer Detection]
Aug 4 21:46:03: packet from 15.1.1.91:500: received Vendor ID payload [FRAGMENTATION]
Aug 4 21:46:03: packet from 15.1.1.91:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 4 21:46:03: packet from 15.1.1.91:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 4 21:46:03: packet from 15.1.1.91:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 4 21:46:03: | find_host_connection me=10.78.29.212:500 him=15.1.1.91:500 policy=IKEV1_ALLOW
Aug 4 21:46:03: | find_host_pair_conn (find_host_connection): 10.78.29.212:500 15.1.1.91:500 -> hp:none
Aug 4 21:46:03: packet from 15.1.1.91:500: initial Main Mode message received on 10.78.29.212:500 but no connection has been authorized with policy RSASIG+IKEV1_ALLOW
Aug 4 21:46:03: | *received 184 bytes from 15.1.1.91:500 on eth0 (port=500)
Aug 4 21:46:03: packet from 15.1.1.91:500: received Vendor ID payload [Dead Peer Detection]
Aug 4 21:46:03: packet from 15.1.1.91:500: received Vendor ID payload [FRAGMENTATION]
and...Tunnel does not get setup....
packet from 15.1.1.91:500: initial Main Mode message received on 10.78.29.212:500 but no connection has been authorized with policy RSASIG+IKEV1_ALLOW
I attempted searching for the above in the ipsec mail threads but could not locate why this message is seen.
As mentioned, this message is not observed when the numbers of virtual devices that is getting managed is 200. Tunnel connections are also fine in that case.
Following are the connection sections for from the ipsec configuration file-
[root at host1]/etc/ipsec.d/policies# grep include /etc/ipsec.conf
# Note: "crypt" is not included with "all", as it can show confidential
include /etc/ipsec.d/*.conf
[root at host1]/etc/ipsec.d/policies#
[root at Host2]/etc/ipsec.d# cat pi.secrets
: RSA "user1"
[root at host1]/etc/ipsec.d#
Extract from ipsec conf file in Host 1-
conn snmp_15.1.1.91
type=transport
ike=aes256-sha1;modp2048
phase2alg=aes256-sha1;modp2048
authby=rsasig
ike-frag=yes
nat-ikev1-method=drafts
auto=start
keyingtries=%forever
dpdaction=restart
dpddelay=86400
dpdtimeout=86400
# left side configuration
leftid=%fromcert
left=15.1.1.91
leftprotoport=udp/161
leftcert="user1"
leftrsasigkey=%cert
leftsendcert=always
#right configuration - PI
rightid="C=in, ST=nd, L=noi, O=abc, OU=def, CN=host2.company.com"
right=10.78.29.212
rightprotoport=udp
rightrsasigkey=%cert
rightsendcert=always
Extract from ipsec conf file in Host 2 that gets generated automatically after Tunnel establishment-
conn Device_snmp_15.1.1.1
type=transport
ike=aes256-sha1;modp2048
phase2alg=aes256-sha1;modp2048
authby=rsasig
ike-frag=yes
nat-ikev1-method=drafts
auto=start
keyingtries=%forever
dpdaction=restart
forceencaps=yes
# left configuration - server
leftid=%fromcert
left=10.78.29.212
leftprotoport=udp
leftcert="tomcat"
leftrsasigkey=%cert
leftsendcert=always
#right configuration - device
rightid="C=in, ST=nd, L=noi, O=abc, OU=def, CN=host1.company.com, E=user1 at company.com"
right=15.1.1.91
rightprotoport=udp/161
rightrsasigkey=%cert
rightsendcert=always
We have exact replica of above sections for SNMP trap also.
Could someone please clarify why we are observing failed tunnel setup with this configuration when the numbers of virtual devices is above 200 ?
Is there any issue with the above ipsec configuration ?
Regards,
Bala
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170805/abec3576/attachment-0001.html>
More information about the Swan
mailing list