Discussion:
[IKEv2 Mobike] error uninstalling route installed with policy
a***@public.gmane.org
2014-08-21 13:16:12 UTC
Permalink
Hi all,

I'm using strongswan to do IKEv2 Mobike. The ipsec.conf is

*config setup*
* strictcrlpolicy=no*
* # charonstart=yes*
* # plutostart=no*

*conn %default*
* ikelifetime=28800s*
* keylife=28800s*
* rekeymargin=3m*
* keyingtries=3*
* keyexchange=ikev2*
* ike=3des-sha1-modp1024*
* esp=3des-sha1*

*conn client*
* #left=%any*
* #left=%defaultroute*
* left=12.12.1.201*
* leftsourceip=%config*
* leftcert=client1_cert.pem*
* leftid="/C=CN/ST=SH/O=SNWL/CN=IKEv2_Client1"*
* right=11.11.11.200*
* rightid="/C=CN/ST=SH/O=SNWL/CN=11.11.11.200"*
* rightsubnet=192.168.168.0/24 <http://192.168.168.0/24>*
* auto=add*

left side is a CentOS 5.9 pc, right side is a SonicWall box which support
IKEv2 Mobike.
PC has two interface.
eth1 ip is 12.12.1.201
eth2 ip is 12.12.2.202
SonicWall box wan ip is 11.11.11.200

First PC-eth1 connect to the SonicWall box and get a dynamic ip address
from SonicWall box 172.16.1.20, ping to right subnet 192.168.168.2 pass
The ipsec status is
*Security Associations (1 up, 0 connecting):*
* client[8]: ESTABLISHED 31 seconds ago, 12.12.1.201[C=CN, ST=SH,
O=SNWL, CN=IKEv2_Client1]...11.11.11.200[C=CN, ST=SH, O=SNWL,
CN=11.11.11.200]*
* client{8}: INSTALLED, TUNNEL, ESP SPIs: c6fd4979_i c183bc8c_o*
* client{8}: 172.16.1.20/32 <http://172.16.1.20/32> ===
192.168.168.0/24 <http://192.168.168.0/24> *

The I ifconfig eth1 down, ifup eth2, the detailed commands is
ifup eth2
route add -net 11.11.11.0 netmask 255.255.255.0 gw 12.12.2.101
ifconfig eth1 down

The check ipsec status
*Security Associations (1 up, 0 connecting):*
* client[12]: ESTABLISHED 8 minutes ago, 12.12.2.202[C=CN, ST=SH,
O=SNWL, CN=IKEv2_Client1]...11.11.11.200[C=CN, ST=SH, O=SNWL,
CN=11.11.11.200]*
* client{12}: INSTALLED, TUNNEL, ESP SPIs: c84ed7a1_i 0dbbeb51_o*
* client{12}: 172.16.1.20/32 <http://172.16.1.20/32> ===
192.168.168.0/24 <http://192.168.168.0/24>*

The left side ip has changed from 12.12.1.201 to 12.12.2.202.
But ping to right subnet 192.168.168.2 fail.
I don't konw why ping to right subnet fail. it should be pass.

The charon log is below. There are log I have marked to red. Is this error
cause ping fail?*error uninstalling route installed with policy
192.168.168.0/24 <http://192.168.168.0/24> === 172.16.1.20/32
<http://172.16.1.20/32> fwd*


*Aug 21 18:29:39 03[IKE] initiating IKE_SA client[12] to 11.11.11.200*
*Aug 21 18:29:39 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]*
*Aug 21 18:29:39 03[NET] sending packet: from 12.12.1.201[500] to
11.11.11.200[500] (536 bytes)*
*Aug 21 18:29:39 02[NET] received packet: from 11.11.11.200[500] to
12.12.1.201[500] (337 bytes)*
*Aug 21 18:29:39 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ
N(NATD_S_IP) N(NATD_D_IP) V ]*
*Aug 21 18:29:39 02[ENC] received unknown vendor ID:
2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01*
*Aug 21 18:29:39 02[IKE] received cert request for "C=CN, ST=SH, O=SNWL,
CN=ROOTCA"*
*Aug 21 18:29:39 02[IKE] sending cert request for "C=CN, ST=SH, O=SNWL,
CN=ROOTCA"*
*Aug 21 18:29:39 02[IKE] authentication of 'C=CN, ST=SH, O=SNWL,
CN=IKEv2_Client1' (myself) with RSA signature successful*
*Aug 21 18:29:39 02[IKE] sending end entity cert "C=CN, ST=SH, O=SNWL,
CN=IKEv2_Client1"*
*Aug 21 18:29:39 02[IKE] establishing CHILD_SA client*
*Aug 21 18:29:39 02[ENC] generating IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ IDr AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(EAP_ONLY) ]*
*Aug 21 18:29:39 02[NET] sending packet: from 12.12.1.201[4500] to
11.11.11.200[4500] (1188 bytes)*
*Aug 21 18:29:39 10[NET] received packet: from 11.11.11.200[4500] to
12.12.1.201[4500] (988 bytes)*
*Aug 21 18:29:39 10[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR
DNS) SA TSi TSr N(MOBIKE_SUP) ]*
*Aug 21 18:29:39 10[IKE] received end entity cert "C=CN, ST=SH, O=SNWL,
CN=11.11.11.200"*
*Aug 21 18:29:39 10[CFG] using certificate "C=CN, ST=SH, O=SNWL,
CN=11.11.11.200"*
*Aug 21 18:29:39 10[CFG] using trusted ca certificate "C=CN, ST=SH,
O=SNWL, CN=ROOTCA"*
*Aug 21 18:29:39 10[CFG] checking certificate status of "C=CN, ST=SH,
O=SNWL, CN=11.11.11.200"*
*Aug 21 18:29:39 10[CFG] certificate status is not available*
*Aug 21 18:29:39 10[CFG] reached self-signed root ca with a path length
of 0*
*Aug 21 18:29:39 10[IKE] authentication of 'C=CN, ST=SH, O=SNWL,
CN=11.11.11.200' with RSA signature successful*
*Aug 21 18:29:39 10[IKE] IKE_SA client[12] established between
12.12.1.201[C=CN, ST=SH, O=SNWL, CN=IKEv2_Client1]...11.11.11.200[C=CN,
ST=SH, O=SNWL, CN=11.11.11.200]*
*Aug 21 18:29:39 10[IKE] scheduling reauthentication in 28502s*
*Aug 21 18:29:39 10[IKE] maximum IKE_SA lifetime 28682s*
*Aug 21 18:29:39 10[IKE] installing DNS server 11.11.11.111 to
/etc/resolv.conf*
*Aug 21 18:29:39 10[IKE] installing new virtual IP 172.16.1.20*
*Aug 21 18:29:39 10[IKE] CHILD_SA client{12} established with SPIs
c84ed7a1_i 0dbbeb51_o and TS 172.16.1.20/32 <http://172.16.1.20/32> ===
192.168.168.0/24 <http://192.168.168.0/24>*
*Aug 21 18:29:39 10[IKE] peer supports MOBIKE*
*Aug 21 18:29:56 07[KNL] interface eth2 activated*
*Aug 21 18:29:56 04[IKE] sending address list update using MOBIKE*
*Aug 21 18:29:56 04[ENC] generating INFORMATIONAL request 2 [ N(ADD_4_ADDR)
]*
*Aug 21 18:29:56 04[NET] sending packet: from 12.12.1.201[4500] to
11.11.11.200[4500] (68 bytes)*
*Aug 21 18:29:56 11[NET] received packet: from 11.11.11.200[4500] to
12.12.1.201[4500] (60 bytes)*
*Aug 21 18:29:56 11[ENC] parsed INFORMATIONAL response 2 [ ]*
*Aug 21 18:29:57 08[KNL] 12.12.2.202 appeared on eth2*
*Aug 21 18:29:57 02[IKE] sending address list update using MOBIKE*
*Aug 21 18:29:57 02[ENC] generating INFORMATIONAL request 3 [ N(ADD_4_ADDR)
N(ADD_4_ADDR) ]*
*Aug 21 18:29:57 02[NET] sending packet: from 12.12.1.201[4500] to
11.11.11.200[4500] (84 bytes)*
*Aug 21 18:29:57 05[NET] received packet: from 11.11.11.200[4500] to
12.12.1.201[4500] (60 bytes)*
*Aug 21 18:29:57 05[ENC] parsed INFORMATIONAL response 3 [ ]*
*Aug 21 18:30:19 09[KNL] interface eth1 deactivated*
*Aug 21 18:30:19 06[IKE] old path is not available anymore, try to find
another*
*Aug 21 18:30:19 06[IKE] looking for a route to 11.11.11.200 ...*
*Aug 21 18:30:19 06[IKE] requesting address change using MOBIKE*
*Aug 21 18:30:19 06[ENC] generating INFORMATIONAL request 4 [ ]*
*Aug 21 18:30:19 06[IKE] checking path 12.12.2.202[4500] -
11.11.11.200[4500]*
*Aug 21 18:30:19 06[NET] sending packet: from 12.12.2.202[4500] to
11.11.11.200[4500] (60 bytes)*
*Aug 21 18:30:19 05[NET] received packet: from 11.11.11.200[4500] to
12.12.2.202[4500] (60 bytes)*
*Aug 21 18:30:19 05[ENC] parsed INFORMATIONAL response 4 [ ]*
*Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry
with SPI c84ed7a1*
*Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry
with SPI 0dbbeb51*
*Aug 21 18:30:19 05[KNL] error uninstalling route installed with policy
192.168.168.0/24 <http://192.168.168.0/24> === 172.16.1.20/32
<http://172.16.1.20/32> fwd*
*Aug 21 18:30:19 05[NET] sending packet: from 12.12.2.202[4500] to
11.11.11.200[4500] (156 bytes)*
*Aug 21 18:30:19 09[NET] received packet: from 11.11.11.200[4500] to
12.12.2.202[4500] (140 bytes)*
*Aug 21 18:30:19 09[ENC] parsed INFORMATIONAL response 5 [ N(NATD_S_IP)
N(NATD_D_IP) N(COOKIE2) ]*


Thanks
Amy
Tobias Brunner
2014-08-21 16:30:26 UTC
Permalink
Hi Amy,
Is this error cause ping fail?
error uninstalling route installed with policy
192.168.168.0/24 === 172.16.1.20/32 fwd
That's normal. Because the interface that was referenced in this route
(eth1) disappeared, the route was already removed by the kernel when
charon eventually tries to uninstall it, so you get this error/warning.
Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry
with SPI c84ed7a1
Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry
with SPI 0dbbeb51
For some reason retrieving the current ESP sequence numbers for these
SAs failed on your system.

Because we can't update the IPsec SAs installed in the kernel directly,
but have to delete and reinstall them instead, we need to copy the old
replay state to the new SA. If that fails the newly installed SAs can't
be used as the sequence numbers aren't in-sync between the two peers.
I'm not sure when this could actually fail. The XFRM_MSG_GETAE query
seems to have been successful (you'd have gotten an additional error
otherwise), and I don't see how the kernel could not return the
requested state without reporting an error.

You could try to add some DBG statements in get_replay_state() in
kernel_netlink_ipsec.c to see what's going on (e.g. what message types
the kernel returns or what attribute types if out_aevent is assigned).

What kernel version do you use? What strongSwan version? Any custom
patches applied to either one?

In any case we should probably check early on if get_replay_state()
actually returned anything and fail if it did not so that the IPsec SAs
could be rekeyed (we already use this fallback on other platforms, e.g.
FreeBSD, where updating SAs is not possible at all).

Regards,
Tobias
a***@public.gmane.org
2014-08-22 03:49:12 UTC
Permalink
Hi Tobias,
Thanks for your reply

My pc is Centos 5.9
*lsb_release -a*
*LSB Version:
:core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch*
*Distributor ID: CentOS*
*Description: CentOS release 5.9 (Final)*
*Release: 5.9*
*Codename: Final*

*cat /proc/version*
*Linux version 2.6.18-348.1.1.el5 (mockbuild-t2f/um9L7dgPk0tSmcHan2D2FQJk+8+***@public.gmane.org
<mockbuild-t2f/um9L7dgPk0tSmcHan2D2FQJk+8+***@public.gmane.org>) (gcc version 4.1.2 20080704 (Red Hat
4.1.2-54)) #1 SMP Tue Jan 22 16:24:03 EST 2013*

The strongswan version i*s Linux strongSwan U5.1.0/K2.6.18-348.1.1.el5*

I don't know how to add DBG statements to get_replay_state() for I don't
quite know the C language, could you give me some DBG statements?

Regards
Amy
Post by Tobias Brunner
Hi Amy,
Is this error cause ping fail?
error uninstalling route installed with policy
192.168.168.0/24 === 172.16.1.20/32 fwd
That's normal. Because the interface that was referenced in this route
(eth1) disappeared, the route was already removed by the kernel when
charon eventually tries to uninstall it, so you get this error/warning.
Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry
with SPI c84ed7a1
Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry
with SPI 0dbbeb51
For some reason retrieving the current ESP sequence numbers for these
SAs failed on your system.
Because we can't update the IPsec SAs installed in the kernel directly,
but have to delete and reinstall them instead, we need to copy the old
replay state to the new SA. If that fails the newly installed SAs can't
be used as the sequence numbers aren't in-sync between the two peers.
I'm not sure when this could actually fail. The XFRM_MSG_GETAE query
seems to have been successful (you'd have gotten an additional error
otherwise), and I don't see how the kernel could not return the
requested state without reporting an error.
You could try to add some DBG statements in get_replay_state() in
kernel_netlink_ipsec.c to see what's going on (e.g. what message types
the kernel returns or what attribute types if out_aevent is assigned).
What kernel version do you use? What strongSwan version? Any custom
patches applied to either one?
In any case we should probably check early on if get_replay_state()
actually returned anything and fail if it did not so that the IPsec SAs
could be rekeyed (we already use this fallback on other platforms, e.g.
FreeBSD, where updating SAs is not possible at all).
Regards,
Tobias
a***@public.gmane.org
2014-08-22 06:11:41 UTC
Permalink
Hi Tobias,

I have tried the same steps on centos 6.2, There aren't *unable to copy
replay state from old SAD entry *logs, and ping to right subnets pass after
the pc interface is updated.
Below is the pc information for centos 6.2

*lsb_release -a*
*LSB Version:
:core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch*
*Distributor ID: CentOS*
*Description: CentOS release 6.2 (Final) *
*Release: 6.2*
*Codename: Final*


*cat /proc/version*
Linux version 2.6.32-220.el6.i686 (mockbuild-lIMDeJ/***@public.gmane.org)
(gcc version 4.4.6 20110731 (Red Hat 4.4.6-3) (GCC) ) #1 SMP Tue Dec 6
16:15:40 GMT 2011

The strongswan version i*s**Linux strongSwan U5.0.2/K2.6.32-220.el6.i686*

*Best Regards*
*Amy*
Post by a***@public.gmane.org
Hi Tobias,
Thanks for your reply
My pc is Centos 5.9
*lsb_release -a*
:core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch*
*Distributor ID: CentOS*
*Description: CentOS release 5.9 (Final)*
*Release: 5.9*
*Codename: Final*
*cat /proc/version*
4.1.2-54)) #1 SMP Tue Jan 22 16:24:03 EST 2013*
The strongswan version i*s Linux strongSwan U5.1.0/K2.6.18-348.1.1.el5*
I don't know how to add DBG statements to get_replay_state() for I don't
quite know the C language, could you give me some DBG statements?
Regards
Amy
Hi Amy,
Post by Tobias Brunner
Is this error cause ping fail?
error uninstalling route installed with policy
192.168.168.0/24 === 172.16.1.20/32 fwd
That's normal. Because the interface that was referenced in this route
(eth1) disappeared, the route was already removed by the kernel when
charon eventually tries to uninstall it, so you get this error/warning.
Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry
with SPI c84ed7a1
Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry
with SPI 0dbbeb51
For some reason retrieving the current ESP sequence numbers for these
SAs failed on your system.
Because we can't update the IPsec SAs installed in the kernel directly,
but have to delete and reinstall them instead, we need to copy the old
replay state to the new SA. If that fails the newly installed SAs can't
be used as the sequence numbers aren't in-sync between the two peers.
I'm not sure when this could actually fail. The XFRM_MSG_GETAE query
seems to have been successful (you'd have gotten an additional error
otherwise), and I don't see how the kernel could not return the
requested state without reporting an error.
You could try to add some DBG statements in get_replay_state() in
kernel_netlink_ipsec.c to see what's going on (e.g. what message types
the kernel returns or what attribute types if out_aevent is assigned).
What kernel version do you use? What strongSwan version? Any custom
patches applied to either one?
In any case we should probably check early on if get_replay_state()
actually returned anything and fail if it did not so that the IPsec SAs
could be rekeyed (we already use this fallback on other platforms, e.g.
FreeBSD, where updating SAs is not possible at all).
Regards,
Tobias
a***@public.gmane.org
2014-08-22 07:01:40 UTC
Permalink
I tried several times on centos 5.9 and 6.2 separately, every time, ping to
right subnets pass on centos 6.2 but fail on centos 5.9.
Is there anything about linux kernel version?

I also noticed that on strongswan started, there are plugins unable to
load, but I don't konw which plugins can't be loaded.

*Aug 22 11:29:35 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink
resolve socket-default stroke updown xauth-generic*
*Aug 22 11:29:35 00[LIB] unable to load 6 plugin features (6 due to unmet
dependencies)*

*Best Regards*
*Amy*
Post by a***@public.gmane.org
Hi Tobias,
I have tried the same steps on centos 6.2, There aren't *unable to copy
replay state from old SAD entry *logs, and ping to right subnets pass
after the pc interface is updated.
Below is the pc information for centos 6.2
*lsb_release -a*
:core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch*
*Distributor ID: CentOS*
*Description: CentOS release 6.2 (Final) *
*Release: 6.2*
*Codename: Final*
*cat /proc/version*
(gcc version 4.4.6 20110731 (Red Hat 4.4.6-3) (GCC) ) #1 SMP Tue Dec 6
16:15:40 GMT 2011
The strongswan version i*s**Linux strongSwan U5.0.2/K2.6.32-220.el6.i686*
*Best Regards*
*Amy*
Hi Tobias,
Post by a***@public.gmane.org
Thanks for your reply
My pc is Centos 5.9
*lsb_release -a*
:core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch*
*Distributor ID: CentOS*
*Description: CentOS release 5.9 (Final)*
*Release: 5.9*
*Codename: Final*
*cat /proc/version*
4.1.2-54)) #1 SMP Tue Jan 22 16:24:03 EST 2013*
The strongswan version i*s Linux strongSwan U5.1.0/K2.6.18-348.1.1.el5*
I don't know how to add DBG statements to get_replay_state() for I don't
quite know the C language, could you give me some DBG statements?
Regards
Amy
Hi Amy,
Post by Tobias Brunner
Is this error cause ping fail?
error uninstalling route installed with policy
192.168.168.0/24 === 172.16.1.20/32 fwd
That's normal. Because the interface that was referenced in this route
(eth1) disappeared, the route was already removed by the kernel when
charon eventually tries to uninstall it, so you get this error/warning.
Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry
with SPI c84ed7a1
Aug 21 18:30:19 05[KNL] unable to copy replay state from old SAD entry
with SPI 0dbbeb51
For some reason retrieving the current ESP sequence numbers for these
SAs failed on your system.
Because we can't update the IPsec SAs installed in the kernel directly,
but have to delete and reinstall them instead, we need to copy the old
replay state to the new SA. If that fails the newly installed SAs can't
be used as the sequence numbers aren't in-sync between the two peers.
I'm not sure when this could actually fail. The XFRM_MSG_GETAE query
seems to have been successful (you'd have gotten an additional error
otherwise), and I don't see how the kernel could not return the
requested state without reporting an error.
You could try to add some DBG statements in get_replay_state() in
kernel_netlink_ipsec.c to see what's going on (e.g. what message types
the kernel returns or what attribute types if out_aevent is assigned).
What kernel version do you use? What strongSwan version? Any custom
patches applied to either one?
In any case we should probably check early on if get_replay_state()
actually returned anything and fail if it did not so that the IPsec SAs
could be rekeyed (we already use this fallback on other platforms, e.g.
FreeBSD, where updating SAs is not possible at all).
Regards,
Tobias
Tobias Brunner
2014-08-22 08:04:20 UTC
Permalink
Hi Amy,
Post by a***@public.gmane.org
I don't know how to add DBG statements to get_replay_state() for I don't
quite know the C language, could you give me some DBG statements?
You can try the attached patch. You'll have to compile strongSwan from
sources [1] and apply the patch after extracting the tarball with:

patch -p1 < /path/to/kernel-netlink.patch

If you installed strongSwan from an RPM package uninstall that first.
Post by a***@public.gmane.org
I tried several times on centos 5.9 and 6.2 separately, every time,
ping to right subnets pass on centos 6.2 but fail on centos 5.9.
Is there anything about linux kernel version?
Yes, most likely there is something amiss with the 2.6.18 kernel used by
CentOS 5.9.
Post by a***@public.gmane.org
I also noticed that on strongswan started, there are plugins unable
to load, but I don't konw which plugins can't be loaded.
These shouldn't be an issue (most likely some DSA plugin features that
none of our crypto backends support).

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/InstallationDocumentation#Compile-yourself
Loading...