[Swan] Lost traffic in GRE tunnel (reassociation?)

Adam Tauno Williams awilliam at whitemice.org
Thu Aug 23 19:14:15 UTC 2018 

I have a collection of sites connected to a CentOS7 LibreSWAN server
via IPSEC protected GRE tunnels.  The remote device is a Cisco 891F
router.

libreswan-3.20-5.el7_4.x86_64
Linux 3.10.0-693.11.1.el7.x86_64

It works!  Very well actually, even with the slightly complicated
routing we have.

One problem - it appears when the connection renegotiates the remote
site experiences packet loss of tunneled traffic.

I believe this occurs when the server receives a delete-sa, when the sa
expires. ???

The drops correlate to the following burts in the log file on the
LibreSWAN server:

15:02:38 pluto[29909]: "IPSEC-1" #22017: received Delete SA(0x26d2704e)
payload: deleting IPSEC State #22019
15:02:38 pluto[29909]: "IPSEC-1" #22017: deleting other state #22019
(STATE_QUICK_I2) "IPSEC-1"
15:02:38 pluto[29909]: "IPSEC-1" #22017: ESP traffic information: in=0B
out=0B
15:02:38 pluto[29909]: "IPSEC-1" #22020: deleting state
(STATE_QUICK_R0)
15:02:38 pluto[29909]: "IPSEC-1" #22018: deleting state
(STATE_QUICK_R0)
15:02:38 pluto[29909]: "IPSEC-1" #22017: deleting state (STATE_MAIN_R3)
15:02:38 pluto[29909]: packet from A.B.C.D:500: received and ignored
empty informational notification payload
15:02:46 pluto[29909]: "IPSEC-1" #22021: responding to Main Mode
15:02:46 pluto[29909]: "IPSEC-1" #22021: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
15:02:46 pluto[29909]: "IPSEC-1" #22021: STATE_MAIN_R1: sent MR1,
expecting MI2
15:02:46 pluto[29909]: "IPSEC-1" #22021: ignoring unknown Vendor ID
payload [95cc749deb2867b973ae56ab42a934cb]
15:02:46 pluto[29909]: "IPSEC-1" #22021: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
15:02:46 pluto[29909]: "IPSEC-1" #22021: STATE_MAIN_R2: sent MR2,
expecting MI3
15:02:46 pluto[29909]: "IPSEC-1" #22021: ignoring informational payload
IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
15:02:46 pluto[29909]: | ISAKMP Notification Payload
15:02:46 pluto[29909]: |   00 00 00 1c  00 00 00 01  01 10 60 02
15:02:46 pluto[29909]: "IPSEC-1" #22021: Main mode peer ID is
ID_IPV4_ADDR: 'A.B.C.D'
15:02:46 pluto[29909]: "IPSEC-1" #22021: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
15:02:46 pluto[29909]: "IPSEC-1" #22021: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha
group=MODP1536}
15:02:46 pluto[29909]: "IPSEC-1" #22021: the peer proposed:
L.M.O.P/32:47/0 -> A.B.C.D/32:47/0
15:02:46 pluto[29909]: "IPSEC-1" #22022: we require PFS but Quick I1 SA
specifies no GROUP_DESCRIPTION
15:02:56 pluto[29909]: "IPSEC-1" #22022: next payload type of ISAKMP
Hash Payload has an unknown value: 59 (0x3b)
15:02:56 pluto[29909]: "IPSEC-1" #22022: malformed payload in packet
15:03:06 pluto[29909]: "IPSEC-1" #22022: next payload type of ISAKMP
Hash Payload has an unknown value: 59 (0x3b)
15:03:06 pluto[29909]: "IPSEC-1" #22022: malformed payload in packet
15:03:16 pluto[29909]: "IPSEC-1" #22021: the peer proposed:
L.M.O.P/32:47/0 -> A.B.C.D/32:47/0
15:03:16 pluto[29909]: "IPSEC-1" #22023: we require PFS but Quick I1 SA
specifies no GROUP_DESCRIPTION
15:03:16 pluto[29909]: "IPSEC-1" #22022: next payload type of ISAKMP
Hash Payload has an unknown value: 59 (0x3b)
15:03:16 pluto[29909]: "IPSEC-1" #22022: malformed payload in packet
15:03:26 pluto[29909]: "IPSEC-1" #22023: byte 2 of ISAKMP Hash Payload
should have been zero, but was not (ignored)
15:03:26 pluto[29909]: "IPSEC-1" #22023: length of ISAKMP Hash Payload
is larger than can fit
15:03:26 pluto[29909]: "IPSEC-1" #22023: malformed payload in packet
15:03:26 pluto[29909]: "IPSEC-1" #22022: next payload type of ISAKMP
Hash Payload has an unknown value: 59 (0x3b)
15:03:26 pluto[29909]: "IPSEC-1" #22022: malformed payload in packet
15:03:36 pluto[29909]: "IPSEC-1" #22023: byte 2 of ISAKMP Hash Payload
should have been zero, but was not (ignored)
15:03:36 pluto[29909]: "IPSEC-1" #22023: length of ISAKMP Hash Payload
is larger than can fit
15:03:36 pluto[29909]: "IPSEC-1" #22023: malformed payload in packet
15:03:36 pluto[29909]: "IPSEC-1" #22022: next payload type of ISAKMP
Hash Payload has an unknown value: 59 (0x3b)
15:03:36 pluto[29909]: "IPSEC-1" #22022: malformed payload in packet
15:03:46 pluto[29909]: "IPSEC-1" #22023: byte 2 of ISAKMP Hash Payload
should have been zero, but was not (ignored)
15:03:46 pluto[29909]: "IPSEC-1" #22023: length of ISAKMP Hash Payload
is larger than can fit
15:03:46 pluto[29909]: "IPSEC-1" #22023: malformed payload in packet
15:03:46 pluto[29909]: "IPSEC-1" #22021: received Delete SA payload:
self-deleting ISAKMP State #22021
15:03:46 pluto[29909]: "IPSEC-1" #22021: deleting state (STATE_MAIN_R3)
15:03:46 pluto[29909]: "IPSEC-1" #22021: reschedule pending Phase 2 of
connection"IPSEC-1" state #22023: - the parent is going away
15:03:46 pluto[29909]: "IPSEC-1" #22021: reschedule pending Phase 2 of
connection"IPSEC-1" state #22022: - the parent is going away
15:03:46 pluto[29909]: packet from A.B.C.D:500: received and ignored
empty informational notification payload
15:03:46 pluto[29909]: "IPSEC-1" #22024: initiating Main Mode
15:03:46 pluto[29909]: "IPSEC-1" #22023: deleting state
(STATE_QUICK_R0)
15:03:46 pluto[29909]: "IPSEC-1" #22022: deleting state
(STATE_QUICK_R0)
15:03:46 pluto[29909]: "IPSEC-1" #22024: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
15:03:46 pluto[29909]: "IPSEC-1" #22024: STATE_MAIN_I2: sent MI2,
expecting MR2
15:03:46 pluto[29909]: "IPSEC-1" #22024: ignoring unknown Vendor ID
payload [68ff031256abeef8441c9729ca3cdd5f]
15:03:46 pluto[29909]: "IPSEC-1" #22024: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
15:03:46 pluto[29909]: "IPSEC-1" #22024: STATE_MAIN_I3: sent MI3,
expecting MR3
15:03:46 pluto[29909]: "IPSEC-1" #22024: Main mode peer ID is
ID_IPV4_ADDR: 'A.B.C.D'
15:03:46 pluto[29909]: "IPSEC-1" #22024: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
15:03:46 pluto[29909]: "IPSEC-1" #22024: STATE_MAIN_I4: ISAKMP SA
established {auth=PRESHARED_KEY cipher=aes_256 integ=sha
group=MODP1536}
15:03:46 pluto[29909]: "IPSEC-1" #22025: initiating Quick Mode
PSK+ENCRYPT+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_
NO {using isakmp#22024 msgid:75b9737f proposal=defaults
pfsgroup=MODP1536}
15:03:46 pluto[29909]: "IPSEC-1" #22025: ignoring informational payload
IPSEC_RESPONDER_LIFETIME, msgid=75b9737f, length=40
15:03:46 pluto[29909]: | ISAKMP Notification Payload
15:03:46 pluto[29909]: |   00 00 00 28  00 00 00 01  03 04 60 00

-- 
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA

More information about the Swan mailing list