[Swan] mis-matched phase 2 settings cause infinite rekeys, high load, and broad failure across unrelated tunnels
Paul Wouters
paul at nohats.ca
Wed Sep 5 02:03:29 UTC 2018
On Tue, 4 Sep 2018, Terell Moore wrote:
> Hello,
> I've been running into an issue with Linux Libreswan 3.23 where occasionally, mis-matched phase 2
> algorithms between my Libreswan instance and a remote peer causes the Libreswan instance to enter an
> infinite cycle of rekeys.
Please do test if this is resolved in 3.25 as it contains various
improvements to the rekeying code.
> This behavior has been observed when the following properties have been mis-matched:
> - left/rightsubnets
Yes there was an issue with shared IKE SA's as well, which you get when
using the plural subnets=
> We've tried several options in the connection config such as rekey, rekeymargin, rekeyfuzz, and
> keyingtries to no avail.
>
> Is there a setting in Libreswan that will allow us to limit the amount of rekeys that will be attempted?
Yes, keyingtries of non-zero. But then your tunnel just remains down
which is also not what you want.
> Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608936: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#3608932
> msgid:baf7a9cf proposal=AES_CBC_256-HMAC_SHA1_96-MODP1024 pfsgroup=no-pfs}
> Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932: received and ignored
> informational message
> Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932: ignoring informational
> payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=32
So a subnets= mismatch with the other end?
> Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932: received and ignored
> informational message
> Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932: ignoring informational
> payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=32
> Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932: received and ignored
> informational message
> Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932: ignoring informational
> payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=32
> Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932: received and ignored
> informational message
> Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932: ignoring informational
> payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=32
> Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932: received and ignored
> informational message
Noy sure why it told you so many times? Possibly because you have more
subnets= being negotiated that are not matching either?
> Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608932: received Delete SA
> payload: self-deleting ISAKMP State #3608932
Then they deleted the IKE SA.
> Sep 4 13:19:53 ip-172-20-114-174 pluto[27097]: "connection-name/2x2" #3608937: initiating Main Mode
And libreswan starts again.
The only thing that confuses me is why you say this only happens
sometimes ?
But as a I said, please try 3.25 and see if that resolves the issue
already?
Paul
More information about the Swan
mailing list