[Swan] establishing multiple VPN tunnels - drains resources
Pavol Hustý
pavol.husty at gmail.com
Wed Oct 4 13:03:30 EEST 2023
Hello,
We found the following state in the existing connection.
After the connection is established. IPsec establishing multiple VPN
tunnels. Some of them are not used to send data and are just in dormant
state.
Suspicion, rekey times are different, this leads to unused tunnels being
left hanging which drains resources.
Is it a known bug or is it a misconfiguration? There is a solution?
Thanks for your advice.
Centos 7 + Linux Libreswan 3.32 (netkey) on 3.10.0 kernel.
000 "siteA-siteB": 10.10.10.75/32===a.b.c.222
> <a.b.c.222>...x.y.z.233<x.y.z.233>===172.17.19.2/32; erouted; eroute
> owner: #1500666
> 000 "siteA-siteB": oriented; my_ip=unset; their_ip=unset;
> my_updown=ipsec _updown;
> 000 "siteA-siteB": xauth us:none, xauth them:none, my_username=[any];
> their_username=[any]
> 000 "siteA-siteB": our auth:secret, their auth:secret
> 000 "siteA-siteB": modecfg info: us:none, them:none, modecfg
> policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
> 000 "siteA-siteB": policy_label:unset;
> 000 "siteA-siteB": ike_life: 86400s; ipsec_life: 3600s; replay_window:
> 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
> 000 "siteA-siteB": retransmit-interval: 500ms; retransmit-timeout: 60s;
> 000 "siteA-siteB": initial-contact:no; cisco-unity:no;
> fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
> 000 "siteA-siteB": policy:
> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
> 000 "siteA-siteB": v2-auth-hash-policy: none;
> 000 "siteA-siteB": conn_prio: 32,32; interface: bond0:0; metric: 0; mtu:
> unset; sa_prio:auto; sa_tfc:none;
> 000 "siteA-siteB": nflog-group: unset; mark: 5/0xffffffff, 5/0xffffffff;
> vti-iface:vti0; vti-routing:yes; vti-shared:yes; nic-offload:auto;
> 000 "siteA-siteB": our idtype: ID_IPV4_ADDR; our id=a.b.c.222; their
> idtype: ID_IPV4_ADDR; their id=x.y.z.233
> 000 "siteA-siteB": dpd: action:restart; delay:10; timeout:30; nat-t:
> encaps:yes; nat_keepalive:yes; ikev1_natt:both
> 000 "siteA-siteB": newest ISAKMP SA: #1500220; newest IPsec SA: #1500666;
> 000 "siteA-siteB": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048
> 000 "siteA-siteB": IKEv2 algorithm newest:
> AES_CBC_256-HMAC_SHA2_256-MODP2048
> 000 "siteA-siteB": ESP algorithms: AES_CBC_256-HMAC_SHA2_256_128-MODP2048
> 000 "siteA-siteB": ESP algorithm newest: AES_CBC_256-HMAC_SHA2_256_128;
> pfsgroup=MODP2048
> 000 #1500220: "siteA-siteB":4500 STATE_PARENT_R2 (received v2I2, PARENT SA
> established); EVENT_SA_REKEY in 82924s; newest ISAKMP; idle;
> 000 #1500257: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 664s; isakmp#1500220; idle;
> 000 #1500257: "siteA-siteB" esp.c8c94fa5 at x.y.z.233 esp.53074d2d at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500261: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 725s; isakmp#1500220; idle;
> 000 #1500261: "siteA-siteB" esp.c612a63c at x.y.z.233 esp.3e7332f7 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500275: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 838s; isakmp#1500220; idle;
> 000 #1500275: "siteA-siteB" esp.ce88eb99 at x.y.z.233 esp.33ae54df at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=60B
> ESPout=112B! ESPmax=0B
> 000 #1500287: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 956s; isakmp#1500220; idle;
> 000 #1500287: "siteA-siteB" esp.c41ab2dd at x.y.z.233 esp.fd969e5d at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500289: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 961s; isakmp#1500220; idle;
> 000 #1500289: "siteA-siteB" esp.c1729af1 at x.y.z.233 esp.349daff8 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500299: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1022s; isakmp#1500220; idle;
> 000 #1500299: "siteA-siteB" esp.cb06febf at x.y.z.233 esp.3ee57076 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500303: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1051s; isakmp#1500220; idle;
> 000 #1500303: "siteA-siteB" esp.cb8d3898 at x.y.z.233 esp.21244b32 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500311: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1082s; isakmp#1500220; idle;
> 000 #1500311: "siteA-siteB" esp.cc7edc30 at x.y.z.233 esp.e88cdad5 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=60B
> ESPout=112B! ESPmax=0B
> 000 #1500325: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1177s; isakmp#1500220; idle;
> 000 #1500325: "siteA-siteB" esp.c20ac1d4 at x.y.z.233 esp.dbc43b4d at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500330: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1228s; isakmp#1500220; idle;
> 000 #1500330: "siteA-siteB" esp.cb141a2c at x.y.z.233 esp.61616dfe at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500333: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1249s; isakmp#1500220; idle;
> 000 #1500333: "siteA-siteB" esp.c188e718 at x.y.z.233 esp.2ac5384 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500334: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1263s; isakmp#1500220; idle;
> 000 #1500334: "siteA-siteB" esp.cae9b83a at x.y.z.233 esp.b64d3a6b at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500336: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1270s; isakmp#1500220; idle;
> 000 #1500336: "siteA-siteB" esp.c008708e at x.y.z.233 esp.fab30c84 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500338: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1280s; isakmp#1500220; idle;
> 000 #1500338: "siteA-siteB" esp.c1c5816b at x.y.z.233 esp.1288e265 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500342: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1312s; isakmp#1500220; idle;
> 000 #1500342: "siteA-siteB" esp.c47ea943 at x.y.z.233 esp.969324d1 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500343: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1312s; isakmp#1500220; idle;
> 000 #1500343: "siteA-siteB" esp.c1884827 at x.y.z.233 esp.7f83d441 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500345: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1319s; isakmp#1500220; idle;
> 000 #1500345: "siteA-siteB" esp.c678620c at x.y.z.233 esp.f31f89c4 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500348: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1333s; isakmp#1500220; idle;
> 000 #1500348: "siteA-siteB" esp.cba8f565 at x.y.z.233 esp.a131dc72 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500351: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1358s; isakmp#1500220; idle;
> 000 #1500351: "siteA-siteB" esp.c2a233b3 at x.y.z.233 esp.12754bb6 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500357: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1382s; isakmp#1500220; idle;
> 000 #1500357: "siteA-siteB" esp.ca631da1 at x.y.z.233 esp.ceefd2bb at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500361: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1390s; isakmp#1500220; idle;
> 000 #1500361: "siteA-siteB" esp.c77f4643 at x.y.z.233 esp.945334fe at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500362: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1400s; isakmp#1500220; idle;
> 000 #1500362: "siteA-siteB" esp.cd23c35a at x.y.z.233 esp.fc10f1da at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500363: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1403s; isakmp#1500220; idle;
> 000 #1500363: "siteA-siteB" esp.ccea14d1 at x.y.z.233 esp.a0f2b2d1 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500367: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1424s; isakmp#1500220; idle;
> 000 #1500367: "siteA-siteB" esp.c9706cc4 at x.y.z.233 esp.d298de8c at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500369: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1427s; isakmp#1500220; idle;
> 000 #1500369: "siteA-siteB" esp.cf9f4fa3 at x.y.z.233 esp.c1e2440a at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500370: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1439s; isakmp#1500220; idle;
> 000 #1500370: "siteA-siteB" esp.c90b4f71 at x.y.z.233 esp.1e9b7b63 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=60B
> ESPout=112B! ESPmax=0B
> 000 #1500380: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1509s; isakmp#1500220; idle;
> 000 #1500380: "siteA-siteB" esp.c59aecc6 at x.y.z.233 esp.193a6660 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500381: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1509s; isakmp#1500220; idle;
> 000 #1500381: "siteA-siteB" esp.cd1f181c at x.y.z.233 esp.603184a7 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500390: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1531s; isakmp#1500220; idle;
> 000 #1500390: "siteA-siteB" esp.c2620d1e at x.y.z.233 esp.196d65f2 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500392: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1537s; isakmp#1500220; idle;
> 000 #1500392: "siteA-siteB" esp.cc9cef02 at x.y.z.233 esp.6aee4d8a at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500401: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1567s; isakmp#1500220; idle;
> 000 #1500401: "siteA-siteB" esp.c1adb83b at x.y.z.233 esp.3495f5e6 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500405: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1575s; isakmp#1500220; idle;
> 000 #1500405: "siteA-siteB" esp.c4c9f377 at x.y.z.233 esp.35319f5a at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500411: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1605s; isakmp#1500220; idle;
> 000 #1500411: "siteA-siteB" esp.c268aa9d at x.y.z.233 esp.f65b3b7c at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500414: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1609s; isakmp#1500220; idle;
> 000 #1500414: "siteA-siteB" esp.cb6566c0 at x.y.z.233 esp.c64630d at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500416: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1613s; isakmp#1500220; idle;
> 000 #1500416: "siteA-siteB" esp.c8fa6602 at x.y.z.233 esp.32b9047f at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500419: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1614s; isakmp#1500220; idle;
> 000 #1500419: "siteA-siteB" esp.c74e08d9 at x.y.z.233 esp.5841baf4 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500422: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1634s; isakmp#1500220; idle;
> 000 #1500422: "siteA-siteB" esp.cb92f8a8 at x.y.z.233 esp.8720ab41 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500423: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1636s; isakmp#1500220; idle;
> 000 #1500423: "siteA-siteB" esp.ca347979 at x.y.z.233 esp.945dedb7 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500425: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1638s; isakmp#1500220; idle;
> 000 #1500425: "siteA-siteB" esp.cf7b6044 at x.y.z.233 esp.8db06a45 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500428: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1659s; isakmp#1500220; idle;
> 000 #1500428: "siteA-siteB" esp.c6077ed8 at x.y.z.233 esp.bceb36e5 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500431: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1668s; isakmp#1500220; idle;
> 000 #1500431: "siteA-siteB" esp.c405393f at x.y.z.233 esp.d3597633 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500443: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1709s; isakmp#1500220; idle;
> 000 #1500443: "siteA-siteB" esp.c55bd7bf at x.y.z.233 esp.e563f6ab at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500447: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1737s; isakmp#1500220; idle;
> 000 #1500447: "siteA-siteB" esp.cfa524c4 at x.y.z.233 esp.a41537 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=60B
> ESPout=112B! ESPmax=0B
> 000 #1500462: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1782s; isakmp#1500220; idle;
> 000 #1500462: "siteA-siteB" esp.c73b6e0b at x.y.z.233 esp.ba6835b at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500463: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1784s; isakmp#1500220; idle;
> 000 #1500463: "siteA-siteB" esp.c9e1ce83 at x.y.z.233 esp.2e1ff903 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500468: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1794s; isakmp#1500220; idle;
> 000 #1500468: "siteA-siteB" esp.c9b20994 at x.y.z.233 esp.c28fb235 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500469: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1796s; isakmp#1500220; idle;
> 000 #1500469: "siteA-siteB" esp.cbfe50bd at x.y.z.233 esp.e9e3aafd at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500470: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1796s; isakmp#1500220; idle;
> 000 #1500470: "siteA-siteB" esp.c8c0e9a5 at x.y.z.233 esp.22bd88c6 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500477: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1825s; isakmp#1500220; idle;
> 000 #1500477: "siteA-siteB" esp.c489edaa at x.y.z.233 esp.3e17542b at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500479: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1828s; isakmp#1500220; idle;
> 000 #1500479: "siteA-siteB" esp.c4a9ff61 at x.y.z.233 esp.33c51107 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500481: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1829s; isakmp#1500220; idle;
> 000 #1500481: "siteA-siteB" esp.cb78f638 at x.y.z.233 esp.26beb037 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500487: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1849s; isakmp#1500220; idle;
> 000 #1500487: "siteA-siteB" esp.c2bf199e at x.y.z.233 esp.ab33137f at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500488: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1855s; isakmp#1500220; idle;
> 000 #1500488: "siteA-siteB" esp.c13bd1a8 at x.y.z.233 esp.a5270231 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500499: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1882s; isakmp#1500220; idle;
> 000 #1500499: "siteA-siteB" esp.cf8a8918 at x.y.z.233 esp.68fbbe70 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500501: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1883s; isakmp#1500220; idle;
> 000 #1500501: "siteA-siteB" esp.ca18df6b at x.y.z.233 esp.ff1f01b2 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500502: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1884s; isakmp#1500220; idle;
> 000 #1500502: "siteA-siteB" esp.ca3430fa at x.y.z.233 esp.eae5ddbf at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500503: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1886s; isakmp#1500220; idle;
> 000 #1500503: "siteA-siteB" esp.c147f733 at x.y.z.233 esp.3c119103 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500505: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1889s; isakmp#1500220; idle;
> 000 #1500505: "siteA-siteB" esp.c26fa25d at x.y.z.233 esp.68d19924 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500509: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1903s; isakmp#1500220; idle;
> 000 #1500509: "siteA-siteB" esp.c00544f9 at x.y.z.233 esp.5107eaf4 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500513: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1923s; isakmp#1500220; idle;
> 000 #1500513: "siteA-siteB" esp.c3f18a27 at x.y.z.233 esp.81a4901 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500519: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1958s; isakmp#1500220; idle;
> 000 #1500519: "siteA-siteB" esp.c1a8e6ab at x.y.z.233 esp.120e5b82 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500522: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1960s; isakmp#1500220; idle;
> 000 #1500522: "siteA-siteB" esp.c015cc77 at x.y.z.233 esp.d26acf29 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500526: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 1968s; isakmp#1500220; idle;
> 000 #1500526: "siteA-siteB" esp.c91bbd79 at x.y.z.233 esp.cf8c88d6 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500539: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 2021s; isakmp#1500220; idle;
> 000 #1500539: "siteA-siteB" esp.c7f74c1d at x.y.z.233 esp.f831fe48 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=60B
> ESPout=112B! ESPmax=0B
> 000 #1500550: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 2061s; isakmp#1500220; idle;
> 000 #1500550: "siteA-siteB" esp.c346bd48 at x.y.z.233 esp.6aa1dc5a at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500558: "siteA-siteB":4500 STATE_PARENT_R2 (received v2I2, PARENT SA
> established); EVENT_SA_REKEY in 84888s; idle;
> 000 #1500559: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 2088s; isakmp#1500558; idle;
> 000 #1500559: "siteA-siteB" esp.c3315ec9 at x.y.z.233 esp.8f848561 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500564: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 2100s; isakmp#1500220; idle;
> 000 #1500564: "siteA-siteB" esp.c57732ea at x.y.z.233 esp.6d599894 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500570: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 2130s; isakmp#1500220; idle;
> 000 #1500570: "siteA-siteB" esp.ca4e33a0 at x.y.z.233 esp.7e78cd5a at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500581: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 2183s; isakmp#1500220; idle;
> 000 #1500581: "siteA-siteB" esp.c744ad3f at x.y.z.233 esp.c41815bf at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500595: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 2248s; isakmp#1500220; idle;
> 000 #1500595: "siteA-siteB" esp.ccb0f234 at x.y.z.233 esp.436abed5 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500615: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 2339s; isakmp#1500220; idle;
> 000 #1500615: "siteA-siteB" esp.c3576d6f at x.y.z.233 esp.339d290d at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=60B
> ESPout=112B! ESPmax=0B
> 000 #1500634: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 2431s; isakmp#1500220; idle;
> 000 #1500634: "siteA-siteB" esp.c9f11562 at x.y.z.233 esp.3bd06cbf at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500635: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 2433s; isakmp#1500220; idle;
> 000 #1500635: "siteA-siteB" esp.cd9aaa14 at x.y.z.233 esp.6dbe0e4f at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=0B
> ESPout=0B! ESPmax=0B
> 000 #1500666: "siteA-siteB":4500 STATE_V2_IPSEC_R (IPsec SA established);
> EVENT_SA_REKEY in 2621s; newest IPSEC; eroute owner; isakmp#1500220; idle;
> 000 #1500666: "siteA-siteB" esp.ceb755ca at x.y.z.233 esp.4d32b366 at a.b.c.222
> tun.0 at x.y.z.233 tun.0 at a.b.c.222 ref=0 refhim=0 Traffic: ESPin=180B
> ESPout=336B! ESPmax=0B
tail -f /var/log/pluto.log | grep "siteA-siteB"
145123: "siteA-siteB" #1549735: EXPECTATION FAILED: not replacing stale
> CHILD SA #1549735; as already got a newer #1549897 (in v2_event_sa_rekey()
> at ikev2_parent.c:6377)
> 145197: "siteA-siteB" #1549735: deleting state (STATE_V2_IPSEC_R) aged
> 3330.008s and sending notification
> 145259: "siteA-siteB" #1549735: ESP traffic information: in=0B out=0B
> 175711: "siteA-siteB" #1549750: proposal
> 1:ESP=AES_CBC_256-HMAC_SHA2_256_128-MODP2048-DISABLED SPI=cfc68a47 chosen
> from remote proposals
> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED[first-match]
> 2:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED
> 175888: "siteA-siteB" #1549750: received delete request for PROTO_v2_ESP
> SA(0xc8127f1c) but corresponding state not found
> 175912: "siteA-siteB" #1549750: STATE_PARENT_R2: received v2I2, PARENT SA
> established
> 183195: "siteA-siteB" #1549898: negotiated new IPsec SA
> [10.10.10.75-10.10.10.75:0-65535 0] -> [172.17.19.2-172.17.19.2:0-65535 0]
> 183247: "siteA-siteB" #1549898: negotiated connection
> [10.10.10.75-10.10.10.75:0-65535 0] -> [172.17.19.2-172.17.19.2:0-65535 0]
> 183274: "siteA-siteB" #1549898: STATE_V2_IPSEC_R: IPsec SA established
> tunnel mode {ESP/NAT=>0xcfc68a47 <0x6ec92183
> xfrm=AES_CBC_256-HMAC_SHA2_256_128-MODP2048 NATOA=none NATD=
> 3.74.142.234:4500 DPD=active}
--
ipsec.conf:
config setup
plutodebug="control parsing"
plutodebug="all crypt"
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
listen=a.b.c.222
protostack=netkey
plutodebug=none
uniqueids=no
virtual_private=%v4:10.0.0.0/8
logfile=/var/log/pluto.log
conn siteA-siteB
auto=start
keyexchange=ike
authby=secret
type=tunnel
ikev2=insist
encapsulation=yes
ike=aes256-sha2_256;modp2048
salifetime=1h
ikelifetime=24h
phase2=esp
phase2alg=aes256-sha2_256;modp2048
left=a.b.c.222
leftsubnet=10.10.10.75/32
right=x.y.z.233
rightsubnet=172.17.19.2/32
mark=5/0xffffffff
vti-interface=vti0
vti-routing=yes
vti-shared=yes
pfs=yes
dpddelay=10
dpdtimeout=30
dpdaction=restart
--
Thank you.
Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20231004/d420699d/attachment-0001.htm>
More information about the Swan
mailing list