
<html>


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


</head>


<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">


<div class="">I’m debugging an issue where my server rebooted and the tunnel didn’t reestablish correctly, and I noticed strange entries in the server’s ip xfrm state table. Namely, a ton of duplicates for established connections. Is this something I should


 be worried about or something that has been seen before?</div>


<div class=""><br class="">


</div>


<div class="">src 100.9.123.24 dst 51.179.82.210</div>


<div class="">


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>proto esp spi 0x0ae2518b reqid 16405 mode tunnel</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>replay-window 32 flag af-unspec</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>auth-trunc hmac(sha256) 0x98164c3a7d85a3877bfdc16fd4749649af8c808bf9a9c1cd73fe1b6a05376c97 128</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>enc cbc(aes) 0x36af49e3f540bd78a3c9623c8744b0f2b46724df01f21382171f2d04f3180989</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>anti-replay context: seq 0x2f48, oseq 0x0, bitmap 0xffffffff</div>


<div class="">src 51.179.82.210 dst 100.9.123.24</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>proto esp spi 0xa1c9b948 reqid 16405 mode tunnel</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>replay-window 32 flag af-unspec</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>auth-trunc hmac(sha256) 0x5c68c11799d6b3cc12dcf40b41c9a63b674987bf3fcd5a0a4a6e0715872c19cf 128</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>enc cbc(aes) 0x12b1aaecbd2d061e83a2cc136a24544c3e5b86f4f70a3e226241d5c324f39d4a</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>anti-replay context: seq 0x0, oseq 0x2eb8, bitmap 0x00000000</div>


</div>


<div class=""><br class="">


</div>


<div class="">


<div class="">src 100.9.123.24 dst 51.179.82.210</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>proto esp spi 0xd6b2b60a reqid 16405 mode tunnel</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>replay-window 32 flag af-unspec</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>auth-trunc hmac(sha256) 0x4d27f940de4f7a41dec27563ce74616e31dd8b4fe5f9873db72a2d757a48700e 128</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>enc cbc(aes) 0x49606320fc46a025a1d205990b065bfaf256d5b03c3a66d261fa1934a35a541a</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>anti-replay context: seq 0x545, oseq 0x0, bitmap 0xffffffff</div>


<div class="">src 51.179.82.210 dst 100.9.123.24</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>proto esp spi 0xeebdea84 reqid 16405 mode tunnel</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>replay-window 32 flag af-unspec</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>auth-trunc hmac(sha256) 0xaa667139b4d5c9cd4d3614631555bcf3b05ff00395b94d97d95fc6a45298a3c6 128</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>enc cbc(aes) 0xcfd05f1cb590732b6282d78345a44c226b25b809146d822cd00c1e99db5d89d1</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>anti-replay context: seq 0x0, oseq 0x52b, bitmap 0x00000000</div>


</div>


<div class=""><br class="">


</div>


<div class="">--</div>


<div class=""><br class="">


</div>


<div class="">I also noticed this strange entry that doesn’t correspond to any .conf file, except it has the src/dst mapping to the VTI Ip address for conn37. Though there is no configuration anywhere that connects conn37.conf and the VTI IP address endpoints


 (they are applied with ip addr after the connection has been established).</div>


<div class=""><br class="webkit-block-placeholder">


</div>


<div class="">


<div class="">src 172.16.0.4 dst 172.16.0.5</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>proto esp spi 0x00000000 reqid 0 mode transport</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>replay-window 0 </div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>mark 0x25000000/0xff000000</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>sel src 172.16.0.4/32 dst 172.16.0.5/32 proto icmp type 8 code 0 dev conn37</div>


</div>


<div class=""><br class="">


</div>


<div class="">This seems associated with a confusing messages in /var/log/secure… Is this expected behavior?</div>


<div class=""><br class="">


</div>


<div class="">Sep  7 08:10:10 cq-use1f-1 pluto[8504]: initiate on demand from 172.16.0.4:8 to 172.16.0.5:0 proto=1 because: acquire</div>


<div class=""><br class="">


</div>


<div class="">Here’s the associated conn37.conf, if that’s helpful.</div>


<div class=""><br class="">


</div>


<div class="">


<div class="">conn conn37</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>left=70.240.163.43</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>leftid=“@left-70.240.163.43"</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>leftsubnet=0.0.0.0/0</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>left=70.240.163.43</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>right=51.179.82.210</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>rightid="%fromcert"</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>rightsubnet=0.0.0.0/0</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>rightcert=server</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>right=51.179.82.210</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>rightupdown=/usr/libexec/ipsec/inspeed_updown</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>rightcert=server</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>authby=rsasig</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>vti-routing=no</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>encapsulation=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>keyingtries=0</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>mark=0x25000000/0xff000000</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>vti-interface=conn37</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>phase2alg=aes256-sha2_256</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>auto=ignore</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>type=tunnel</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>compress=no</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>pfs=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>ikepad=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>authby=rsasig</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>phase2=esp</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>ikev2=permit</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>ppk=no</div>


<div class=""><span class="Apple-tab-span" style="white-space: pre;"></span>esn=no</div>


<div class=""><br class="">


</div>


</div>


<div class="">


<div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;">


--</div>


<div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;">


cm</div>


</div>


<br class="">


</body>


</html>