SaRaVanAn
13 years ago
Hi ,
I formed a site-site tunnel between strongswan and Cisco.
R1 ============== R2.
After some time, Strongswan is deleting IKE_SA without sending any
notification, which
results in rekeying failure with peer. Please find the logs below
*
Logs*
+++++++++++++++++
Jun 28 13:00:52 uxcasxxx charon: 12[IKE] 172.31.114.211 is initiating an
IKE_SA
Jun 28 13:00:52 uxcasxxx charon: 12[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan CA"
Jun 28 13:00:52 uxcasxxx charon: 12[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan CA"
Jun 28 13:00:52 uxcasxxx charon: 12[IKE] sending cert request for "C=IN,
ST=TN, L=CH, O=CAS, E=saravanan-***@public.gmane.org"
Jun 28 13:00:52 uxcasxxx charon: 12[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jun 28 13:00:52 uxcasxxx charon: 12[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
Jun 28 13:00:52 uxcasxxx charon: 14[NET] received packet: from
172.31.114.211[500] to 172.31.114.227[500]
Jun 28 13:00:52 uxcasxxx charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi
AUTH SA TSi TSr ]
Jun 28 13:00:52 uxcasxxx charon: 14[CFG] looking for peer configs matching
172.31.114.227[%any]...172.31.114.211[cross-***@public.gmane.org]
Jun 28 13:00:52 uxcasxxx charon: 14[CFG] selected peer config 'fqdn_vr'
Jun 28 13:00:52 uxcasxxx charon: 14[IKE] authentication of 'cross-***@public.gmane.org'
with pre-shared key successful
Jun 28 13:00:52 uxcasxxx charon: 14[IKE] authentication of '172.31.114.227'
(myself) with pre-shared key
Jun 28 13:00:52 uxcasxxx charon: 14[IKE] deleting duplicate IKE_SA for peer
'cross-***@public.gmane.org' due to uniqueness policy
Jun 28 13:00:52 uxcasxxx charon: 14[IKE] deleting IKE_SA fqdn_vr[3] between
172.31.114.227[172.31.114.227]...172.31.114.211[cross-***@public.gmane.org]
Jun 28 13:00:52 uxcasxxx charon: 14[IKE] sending DELETE for IKE_SA
fqdn_vr[3]
Jun 28 13:00:52 uxcasxxx charon: 14[ENC] generating INFORMATIONAL request 0
[ D ]
Jun 28 13:00:52 uxcasxxx charon: 14[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
*Jun 28 13:00:52 uxcasxxx charon: 14[IKE] IKE_SA fqdn_vr[4] established
between 172.31.114.227[172.31.114.227]...172.31.114.211[cross-***@public.gmane.org]
Jun 28 13:00:52 uxcasxxx charon: 14[IKE] CHILD_SA fqdn_vr{4} established
with SPIs c42991a0_i 4f98c63c_o and TS 172.31.114.227/32 === 0.0.0.0/0
Jun 28 13:00:52 uxcasxxx charon: 14[ENC] generating IKE_AUTH response 1 [
IDr AUTH SA TSi TSr ]
Jun 28 13:00:52 uxcasxxx charon: 14[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
Jun 28 13:00:56 uxcasxxx charon: 13[IKE] retransmit 1 of request with
message ID 0
Jun 28 13:00:56 uxcasxxx charon: 13[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
Jun 28 13:01:04 uxcasxxx charon: 07[IKE] retransmit 2 of request with
message ID 0
Jun 28 13:01:04 uxcasxxx charon: 07[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
Jun 28 13:01:17 uxcasxxx charon: 08[IKE] retransmit 3 of request with
message ID 0
Jun 28 13:01:17 uxcasxxx charon: 08[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
Jun 28 13:01:22 uxcasxxx charon: 10[IKE] destroying IKE_SA in state
DELETING without notification*
*Conf:*
cacert=ikeca_fqdn.crt
auto=add
config setup
plutostart=yes
plutodebug=all
charonstart=yes
charondebug=all
nat_traversal=yes
crlcheckinterval=10m
strictcrlpolicy=no
conn %default
ikelifetime=1h
keylife=2h
keyingtries=1
conn fqdn_vr
auth=esp
type=tunnel
keyexchange=ikev2
left=172.31.114.227
right=%any
rightid=cross-***@public.gmane.org
rightsubnet=0.0.0.0/0
authby=secret
pfs=no
rekey=no
auto=add
ipsec.secrets
++++++++++
172.31.114.227 cross-***@public.gmane.org : PSK "sachinten1"
Please provide your inputs on this.
Regards,
Saravanan N
I formed a site-site tunnel between strongswan and Cisco.
R1 ============== R2.
After some time, Strongswan is deleting IKE_SA without sending any
notification, which
results in rekeying failure with peer. Please find the logs below
*
Logs*
+++++++++++++++++
Jun 28 13:00:52 uxcasxxx charon: 12[IKE] 172.31.114.211 is initiating an
IKE_SA
Jun 28 13:00:52 uxcasxxx charon: 12[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan CA"
Jun 28 13:00:52 uxcasxxx charon: 12[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan CA"
Jun 28 13:00:52 uxcasxxx charon: 12[IKE] sending cert request for "C=IN,
ST=TN, L=CH, O=CAS, E=saravanan-***@public.gmane.org"
Jun 28 13:00:52 uxcasxxx charon: 12[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jun 28 13:00:52 uxcasxxx charon: 12[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
Jun 28 13:00:52 uxcasxxx charon: 14[NET] received packet: from
172.31.114.211[500] to 172.31.114.227[500]
Jun 28 13:00:52 uxcasxxx charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi
AUTH SA TSi TSr ]
Jun 28 13:00:52 uxcasxxx charon: 14[CFG] looking for peer configs matching
172.31.114.227[%any]...172.31.114.211[cross-***@public.gmane.org]
Jun 28 13:00:52 uxcasxxx charon: 14[CFG] selected peer config 'fqdn_vr'
Jun 28 13:00:52 uxcasxxx charon: 14[IKE] authentication of 'cross-***@public.gmane.org'
with pre-shared key successful
Jun 28 13:00:52 uxcasxxx charon: 14[IKE] authentication of '172.31.114.227'
(myself) with pre-shared key
Jun 28 13:00:52 uxcasxxx charon: 14[IKE] deleting duplicate IKE_SA for peer
'cross-***@public.gmane.org' due to uniqueness policy
Jun 28 13:00:52 uxcasxxx charon: 14[IKE] deleting IKE_SA fqdn_vr[3] between
172.31.114.227[172.31.114.227]...172.31.114.211[cross-***@public.gmane.org]
Jun 28 13:00:52 uxcasxxx charon: 14[IKE] sending DELETE for IKE_SA
fqdn_vr[3]
Jun 28 13:00:52 uxcasxxx charon: 14[ENC] generating INFORMATIONAL request 0
[ D ]
Jun 28 13:00:52 uxcasxxx charon: 14[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
*Jun 28 13:00:52 uxcasxxx charon: 14[IKE] IKE_SA fqdn_vr[4] established
between 172.31.114.227[172.31.114.227]...172.31.114.211[cross-***@public.gmane.org]
Jun 28 13:00:52 uxcasxxx charon: 14[IKE] CHILD_SA fqdn_vr{4} established
with SPIs c42991a0_i 4f98c63c_o and TS 172.31.114.227/32 === 0.0.0.0/0
Jun 28 13:00:52 uxcasxxx charon: 14[ENC] generating IKE_AUTH response 1 [
IDr AUTH SA TSi TSr ]
Jun 28 13:00:52 uxcasxxx charon: 14[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
Jun 28 13:00:56 uxcasxxx charon: 13[IKE] retransmit 1 of request with
message ID 0
Jun 28 13:00:56 uxcasxxx charon: 13[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
Jun 28 13:01:04 uxcasxxx charon: 07[IKE] retransmit 2 of request with
message ID 0
Jun 28 13:01:04 uxcasxxx charon: 07[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
Jun 28 13:01:17 uxcasxxx charon: 08[IKE] retransmit 3 of request with
message ID 0
Jun 28 13:01:17 uxcasxxx charon: 08[NET] sending packet: from
172.31.114.227[500] to 172.31.114.211[500]
Jun 28 13:01:22 uxcasxxx charon: 10[IKE] destroying IKE_SA in state
DELETING without notification*
*Conf:*
cacert=ikeca_fqdn.crt
auto=add
config setup
plutostart=yes
plutodebug=all
charonstart=yes
charondebug=all
nat_traversal=yes
crlcheckinterval=10m
strictcrlpolicy=no
conn %default
ikelifetime=1h
keylife=2h
keyingtries=1
conn fqdn_vr
auth=esp
type=tunnel
keyexchange=ikev2
left=172.31.114.227
right=%any
rightid=cross-***@public.gmane.org
rightsubnet=0.0.0.0/0
authby=secret
pfs=no
rekey=no
auto=add
ipsec.secrets
++++++++++
172.31.114.227 cross-***@public.gmane.org : PSK "sachinten1"
Please provide your inputs on this.
Regards,
Saravanan N