[Swan] Tunnel still in "pending CHILD SA for "
Greg Skilled Pragati
greg at skilledpragati.com
Mon Mar 6 17:50:08 EET 2023
Hi Guys,
I've configured an ipsec tunnel for 2 DC's. I'm seeing an issue and at the
moment it doesn't appear to be causing too many problems, but I believe is
likely an issue that will result in future problems.
With some advice from an expert in this subject, we did a full upgrade of
the libreswan environment, and did a basic config like so:
Left Server config(EDI):
conn edi-fvc
auto=start
ikev2=yes
authby=rsasig
left=10.1.16.26
leftid=@edi ....[removed for public view] ....
leftsubnets=10.1.16.0/22,192.168.100.0/22
leftrsasigkey=0sAwEAAbzZRjv ....[removed for public view] ....
qbuYQYg+t8zbCPZ/Lrf6L
right= ....[FVC PUBLIC IP removed for public view] ....
rightid=@fvc.freightgate.com
rightsubnets=192.168.0.0/22,192.168.24.0/22
rightrsasigkey=0sAwEAAbcwz7GVxHm9 ....[removed for public view]
.... DQIVMDud2Zc0k=
Right Server config (FVC):
conn fvc-edi
auto=start
ikev2=yes
authby=rsasig
left=192.168.1.26
leftid=@fvc ....[removed for public view] ....
leftsubnets=192.168.0.0/22,192.168.24.0/22
leftrsasigkey=0sAwEAAbcwz7GVxHm9....[removed for public view]
....DQIVMDud2Zc0k=
right= ....[EDI PUBLIC IP removed for public view] ....
rightid=@edi ....[removed for public view] ....
rightsubnets=10.1.16.0/22,192.168.100.0/22
rightrsasigkey=0sAwEAAbzZRjv ....[removed for public view] ....
qbuYQYg+t8zbCPZ/Lrf6L
In ipsec status on EDI, I get a status that looks good:
000 #7: "edi-fvc/1x1":4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child
SA); REKEY in 4881s; REPLACE in 5602s; newest; eroute owner; IKE SA #10;
idle;
000 #7: "edi-fvc/1x1" esp.a44a289e@ ....[FVC PUBLIC IP removed for public
view] .... esp.4cc9c32a at 10.1.16.26 tun.0@ ....[FVC PUBLIC IP removed for
public view] .... tun.0 at 10.1.16.26 Traffic: ESPin=349KB ESPout=2MB
ESPmax=0B
000 #9: "edi-fvc/1x2":4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child
SA); REKEY in 4944s; REPLACE in 5633s; newest; eroute owner; IKE SA #10;
idle;
000 #9: "edi-fvc/1x2" esp.d35b5f5f@ ....[FVC PUBLIC IP removed for public
view] .... esp.a83cf3b7 at 10.1.16.26 tun.0@ ....[FVC PUBLIC IP removed for
public view] .... tun.0 at 10.1.16.26 Traffic: ESPin=0B ESPout=0B ESPmax=0B
000 #8: "edi-fvc/2x1":4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child
SA); REKEY in 4670s; REPLACE in 5624s; newest; eroute owner; IKE SA #10;
idle;
000 #8: "edi-fvc/2x1" esp.5c42b219@ ....[FVC PUBLIC IP removed for public
view] .... esp.965f2f73 at 10.1.16.26 tun.0@ ....[FVC PUBLIC IP removed for
public view] .... tun.0 at 10.1.16.26 Traffic: ESPin=28MB ESPout=18MB
ESPmax=0B
000 #6: "edi-fvc/2x2":4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child
SA); REKEY in 4917s; REPLACE in 5563s; newest; eroute owner; IKE SA #10;
idle;
000 #6: "edi-fvc/2x2" esp.1a4d115b@ ....[FVC PUBLIC IP removed for public
view] .... esp.bfdf2765 at 10.1.16.26 tun.0@ ....[FVC PUBLIC IP removed for
public view] .... tun.0 at 10.1.16.26 Traffic: ESPin=2MB ESPout=21MB
ESPmax=0B
000 #10: "edi-fvc/2x2":4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE
SA); REKEY in 5004s; REPLACE in 5843s; newest; idle;
In FVC, I see this:
000
000 #445: "fvc-edi/1x1":4500 STATE_V2_ESTABLISHED_CHILD_SA (established
Child SA); REKEY in 5346s; REPLACE in 5616s; newest; eroute owner; IKE SA
#452; idle;
000 #445: "fvc-edi/1x1" esp.4cc9c32a@ ....[EDI PUBLIC IP removed for public
view] .... esp.a44a289e at 192.168.1.26 tun.0@ ....[EDI PUBLIC IP removed
for public view] .... tun.0 at 192.168.1.26 Traffic: ESPin=2MB ESPout=349KB
ESPmax=0B
000 #452: "fvc-edi/1x1":4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE
SA); REKEY in 5587s; REPLACE in 5857s; newest; idle;
000 #446: "fvc-edi/1x2":4500 STATE_V2_ESTABLISHED_CHILD_SA (established
Child SA); REKEY in 5368s; REPLACE in 5638s; newest; eroute owner; IKE SA
#452; idle;
000 #446: "fvc-edi/1x2" esp.965f2f73@ ....[EDI PUBLIC IP removed for public
view] .... esp.5c42b219 at 192.168.1.26 tun.0@ ....[EDI PUBLIC IP removed
for public view] .... tun.0 at 192.168.1.26 Traffic: ESPin=18MB ESPout=28MB
ESPmax=0B
000 #448: "fvc-edi/2x1":4500 STATE_V2_ESTABLISHED_CHILD_SA (established
Child SA); REKEY in 5377s; REPLACE in 5647s; newest; eroute owner; IKE SA
#452; idle;
000 #448: "fvc-edi/2x1" esp.a83cf3b7@ ....[EDI PUBLIC IP removed for public
view] .... esp.d35b5f5f at 192.168.1.26 tun.0 at ....[EDI PUBLIC IP removed for
public view] ....tun.0 at 192.168.1.26 Traffic: ESPin=0B ESPout=0B ESPmax=0B
000 #443: "fvc-edi/2x2":4500 STATE_V2_ESTABLISHED_CHILD_SA (established
Child SA); REKEY in 5307s; REPLACE in 5577s; newest; eroute owner; IKE SA
#452; idle;
000 #443: "fvc-edi/2x2" esp.bfdf2765@ ....[EDI PUBLIC IP removed for public
view] .... esp.1a4d115b at 192.168.1.26 tun.0@ ....[EDI PUBLIC IP removed
for public view] .... tun.0 at 192.168.1.26 Traffic: ESPin=21MB ESPout=2MB
ESPmax=0B
000 #810: "fvc-edi/2x2":500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT request);
RETRANSMIT in 24s; idle;
000 #810: pending CHILD SA for "fvc-edi/2x2"
000 #810: pending CHILD SA for "fvc-edi/2x2"
000 #810: pending CHILD SA for "fvc-edi/2x2"
000 #810: pending CHILD SA for "fvc-edi/2x2"
The 2 servers are behind NAT's on separate machines. One is a commercial
firewall and the other is a standard iptables nat.
Is this going to cause issues and can anyone see a reason why this problem
might exist?
And have I set this up correctly?
Thank you,
*Greg Borbonus*
General Manager
P + <+639310006006>1 832 576 5956
W
https://skilledpragati.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230306/20c3cf92/attachment.htm>
More information about the Swan
mailing list