[Swan] Tunnel still in "pending CHILD SA for "

Greg Skilled Pragati greg at skilledpragati.com
Mon Mar 6 17:50:08 EET 2023


Hi Guys,

I've configured an ipsec tunnel for 2 DC's. I'm seeing an issue and at the
moment it doesn't appear to be causing too many problems, but I believe is
likely an issue that will result in future problems.


With some advice from an expert in this subject, we did a full upgrade of
the libreswan environment, and did a basic config like so:

Left Server config(EDI):

conn edi-fvc
        auto=start
        ikev2=yes
        authby=rsasig
        left=10.1.16.26
        leftid=@edi ....[removed for public view] ....
        leftsubnets=10.1.16.0/22,192.168.100.0/22
        leftrsasigkey=0sAwEAAbzZRjv ....[removed for public view] ....
qbuYQYg+t8zbCPZ/Lrf6L

        right= ....[FVC PUBLIC IP removed for public view] ....
        rightid=@fvc.freightgate.com
        rightsubnets=192.168.0.0/22,192.168.24.0/22
        rightrsasigkey=0sAwEAAbcwz7GVxHm9 ....[removed for public view]
....  DQIVMDud2Zc0k=


Right Server config (FVC):

conn fvc-edi
        auto=start
        ikev2=yes
        authby=rsasig
        left=192.168.1.26
        leftid=@fvc ....[removed for public view] ....
        leftsubnets=192.168.0.0/22,192.168.24.0/22
        leftrsasigkey=0sAwEAAbcwz7GVxHm9....[removed for public view]
....DQIVMDud2Zc0k=



        right= ....[EDI PUBLIC IP removed for public view] ....
        rightid=@edi ....[removed for public view] ....
        rightsubnets=10.1.16.0/22,192.168.100.0/22
        rightrsasigkey=0sAwEAAbzZRjv ....[removed for public view] ....
qbuYQYg+t8zbCPZ/Lrf6L


In ipsec status on EDI, I get a status that looks good:

000 #7: "edi-fvc/1x1":4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child
SA); REKEY in 4881s; REPLACE in 5602s; newest; eroute owner; IKE SA #10;
idle;
000 #7: "edi-fvc/1x1" esp.a44a289e@ ....[FVC PUBLIC IP removed for public
view] ....   esp.4cc9c32a at 10.1.16.26 tun.0@ ....[FVC PUBLIC IP removed for
public view] ....    tun.0 at 10.1.16.26 Traffic: ESPin=349KB ESPout=2MB
ESPmax=0B
000 #9: "edi-fvc/1x2":4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child
SA); REKEY in 4944s; REPLACE in 5633s; newest; eroute owner; IKE SA #10;
idle;
000 #9: "edi-fvc/1x2" esp.d35b5f5f@ ....[FVC PUBLIC IP removed for public
view] ....   esp.a83cf3b7 at 10.1.16.26 tun.0@ ....[FVC PUBLIC IP removed for
public view] ....    tun.0 at 10.1.16.26 Traffic: ESPin=0B ESPout=0B ESPmax=0B
000 #8: "edi-fvc/2x1":4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child
SA); REKEY in 4670s; REPLACE in 5624s; newest; eroute owner; IKE SA #10;
idle;
000 #8: "edi-fvc/2x1" esp.5c42b219@ ....[FVC PUBLIC IP removed for public
view] ....   esp.965f2f73 at 10.1.16.26 tun.0@ ....[FVC PUBLIC IP removed for
public view] ....    tun.0 at 10.1.16.26 Traffic: ESPin=28MB ESPout=18MB
ESPmax=0B
000 #6: "edi-fvc/2x2":4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child
SA); REKEY in 4917s; REPLACE in 5563s; newest; eroute owner; IKE SA #10;
idle;
000 #6: "edi-fvc/2x2" esp.1a4d115b@ ....[FVC PUBLIC IP removed for public
view] ....   esp.bfdf2765 at 10.1.16.26 tun.0@ ....[FVC PUBLIC IP removed for
public view] ....    tun.0 at 10.1.16.26 Traffic: ESPin=2MB ESPout=21MB
ESPmax=0B
000 #10: "edi-fvc/2x2":4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE
SA); REKEY in 5004s; REPLACE in 5843s; newest; idle;




In FVC, I see this:
000
000 #445: "fvc-edi/1x1":4500 STATE_V2_ESTABLISHED_CHILD_SA (established
Child SA); REKEY in 5346s; REPLACE in 5616s; newest; eroute owner; IKE SA
#452; idle;
000 #445: "fvc-edi/1x1" esp.4cc9c32a@ ....[EDI PUBLIC IP removed for public
view] ....   esp.a44a289e at 192.168.1.26 tun.0@ ....[EDI PUBLIC IP removed
for public view] ....   tun.0 at 192.168.1.26 Traffic: ESPin=2MB ESPout=349KB
ESPmax=0B
000 #452: "fvc-edi/1x1":4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE
SA); REKEY in 5587s; REPLACE in 5857s; newest; idle;
000 #446: "fvc-edi/1x2":4500 STATE_V2_ESTABLISHED_CHILD_SA (established
Child SA); REKEY in 5368s; REPLACE in 5638s; newest; eroute owner; IKE SA
#452; idle;
000 #446: "fvc-edi/1x2" esp.965f2f73@ ....[EDI PUBLIC IP removed for public
view] ....   esp.5c42b219 at 192.168.1.26 tun.0@ ....[EDI PUBLIC IP removed
for public view] ....   tun.0 at 192.168.1.26 Traffic: ESPin=18MB ESPout=28MB
ESPmax=0B
000 #448: "fvc-edi/2x1":4500 STATE_V2_ESTABLISHED_CHILD_SA (established
Child SA); REKEY in 5377s; REPLACE in 5647s; newest; eroute owner; IKE SA
#452; idle;
000 #448: "fvc-edi/2x1" esp.a83cf3b7@ ....[EDI PUBLIC IP removed for public
view] ....   esp.d35b5f5f at 192.168.1.26 tun.0 at ....[EDI PUBLIC IP removed for
public view] ....tun.0 at 192.168.1.26 Traffic: ESPin=0B ESPout=0B ESPmax=0B
000 #443: "fvc-edi/2x2":4500 STATE_V2_ESTABLISHED_CHILD_SA (established
Child SA); REKEY in 5307s; REPLACE in 5577s; newest; eroute owner; IKE SA
#452; idle;
000 #443: "fvc-edi/2x2" esp.bfdf2765@ ....[EDI PUBLIC IP removed for public
view] ....   esp.1a4d115b at 192.168.1.26 tun.0@ ....[EDI PUBLIC IP removed
for public view] ....   tun.0 at 192.168.1.26 Traffic: ESPin=21MB ESPout=2MB
ESPmax=0B
000 #810: "fvc-edi/2x2":500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT request);
RETRANSMIT in 24s; idle;
000 #810: pending CHILD SA for "fvc-edi/2x2"
000 #810: pending CHILD SA for "fvc-edi/2x2"
000 #810: pending CHILD SA for "fvc-edi/2x2"
000 #810: pending CHILD SA for "fvc-edi/2x2"



The 2 servers are behind NAT's on separate machines. One is a commercial
firewall and the other is a standard iptables nat.

Is this going to cause issues and can anyone see a reason why this problem
might exist?

And have I set this up correctly?


Thank you,


*Greg Borbonus*
General Manager

P   + <+639310006006>1 832 576 5956
W
https://skilledpragati.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230306/20c3cf92/attachment.htm>


More information about the Swan mailing list