[Swan] Frequent dropped connections and martian source

Andrew Cagney andrew.cagney at gmail.com
Wed May 22 01:03:03 UTC 2019


FYI,

libreswan 3.28 will likely land in Fedora 29 over coming days.  While
I suspect it doesn't address:

> May 21 20:14:21.606083: "orion-cyclops/1x1" #2019: initiate rekey of
> IKEv2 CREATE_CHILD_SA IKE Rekey
> May 21 20:14:21.607453: "orion-cyclops/1x1" #2028: message id
> deadlock? wait sending, add to send next list using parent #2019
> unacknowledged 2 next message id=2 ike exchange window 1
> May 21 20:17:41.608603: "orion-cyclops/1x1" #2028: deleting state
> (STATE_V2_REKEY_IKE_I0) and NOT sending notification

(the log message can still be found in the sources) a number of
significant changes to how IKEv2 Message IDs are handled were made and
they may affect this.

If the message ID deadlock message still occurs, can you look back
through the logs for anything pertaining to the IKE SA (aka parent or
#2019 in the above) especially anything that suggests a packet is
being sent.

> However, when I run "ipsec status", it appears to show the connection
> is still active (or at least established):

For this:

> [1376538.238061] IPv4: martian source 192.168.1.35 from 192.168.49.1,
> on dev eth1
> [1376538.238075] ll header: 00000000: ff ff ff ff ff ff 0c 47 c9 7b 4e b2 08 06
> [1380207.332144] IPv4: martian source 192.168.1.105 from 192.168.49.1,
> on dev eth1
> [1380207.332159] ll header: 00000000: ff ff ff ff ff ff 0c 47 c9 7b 4e b2 08 06
> [1393701.446458] IPv4: martian source 192.168.1.35 from 192.168.49.1,
> on dev eth1

https://en.wikipedia.org/wiki/Martian_packet


More information about the Swan mailing list