[strongSwan] ipsec statusall: missing number of packets output

Discussion:

Marco Berizzi

2018-05-24 11:52:21 UTC

Hello everyone,

Kindly I would like to ask if there is any know reason
why ipsec statusall sometimes doesn't print the number
of packets for the child_sa. Here is an example for the
bytes_i:

ts-net{453}: AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 1467110312 bytes_i, 3075678241 bytes_o (2443951 pkts, 49s ago), rekeying in 3 hours

Instead here is another example where the output is
complete:

ts-net{1165}: AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 8452 bytes_i (211 pkts, 19s ago), 9360 bytes_o (213 pkts, 168s ago), rekeying in 7 hours

strongswan version is 5.6.3dr1

Thanks

Tobias Brunner

2018-05-24 13:44:00 UTC

Permalink

Hi Marco,

> Kindly I would like to ask if there is any know reason
> why ipsec statusall sometimes doesn't print the number
> of packets for the child_sa.

The number of packets is printed if a last use time can be determined
via the respective policy. Check the log for errors regarding querying
the inbound policy (you could increase the log level for knl to see a
bit more about the interaction with the kernel).

Regards,
Tobias

Marco Berizzi

2018-05-25 09:22:46 UTC

Permalink

Hi Tobias,

> The number of packets is printed if a last use time can be determined
> via the respective policy.

thanks for the explanation. Indeed that policy was problematic:
packets were going out, but not viceversa.
After an "ipsec down child_sa" and "ipsec up child_sa" traffic
was full duplex again. But I need to understand why this is
happening. This is an ikev2 tunnel to a CrapPoint R77.30:
every few days this problem is popping up.

> Check the log for errors regarding querying
> the inbound policy (you could increase the log level for knl to see a
> bit more about the interaction with the kernel).

this is my log configuration:

stderr {
# more detailed loglevel for a specific subsystem, overriding the
# default loglevel.
ike = 2
knl = 3
}

is it enough knl = 3 ?

Tobias Brunner

2018-05-25 10:00:21 UTC

Permalink

Hi Marco,

> thanks for the explanation. Indeed that policy was problematic:
> packets were going out, but not viceversa.

Sounds strange, policies should not just disappear.

> is it enough knl = 3 ?

Set it to 2, with 3 your log will only fill up with binary dumps of
kernel messages.

Regards,
Tobias

Tobias Brunner

2018-05-25 10:03:45 UTC

Permalink

>> is it enough knl = 3 ?
>
> Set it to 2, with 3 your log will only fill up with binary dumps of
> kernel messages.

You can also use the log settings at [1] so we see a bit more about
what's going on.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Marco Berizzi

2018-07-10 11:55:26 UTC

Permalink

Hi Tobias,

> Hi Marco,
>
> > Kindly I would like to ask if there is any know reason
> > why ipsec statusall sometimes doesn't print the number
> > of packets for the child_sa.
>
> The number of packets is printed if a last use time can be determined
> via the respective policy. Check the log for errors regarding querying
> the inbound policy (you could increase the log level for knl to see a
> bit more about the interaction with the kernel).

After nearly 2 months it happened again:

ts-20.96.144.0{126302}: INSTALLED, TUNNEL, reqid 244, ESP SPIs: cd63dff4_i 5215984b_o
ts-20.96.144.0{126302}: AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 2988620 bytes_i (6591 pkts, 314s ago), 2048852 bytes_o, rekeying in 5 hours
ts-20.96.144.0{126302}: 10.28.155.0/24 === 20.96.144.0/23
ts-20.96.216.0{126305}: INSTALLED, TUNNEL, reqid 246, ESP SPIs: c5504cbc_i 5d35c82a_o
ts-20.96.216.0{126305}: AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 169442 bytes_i, 40867 bytes_o (169 pkts, 301s ago), rekeying in 6 hours
ts-20.96.216.0{126305}: 10.28.155.0/24 === 20.96.216.0/21ts-20.96.226.0{126325}: INSTALLED, TUNNEL, reqid 247, ESP SPIs: c28f61dc_i e0a84ea4_o
ts-20.96.226.0{126325}: AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 58816 bytes_i, 61681 bytes_o (243 pkts, 261s ago), rekeying in 6 hours
ts-20.96.226.0{126325}: 10.28.155.0/24 === 20.96.226.0/24

Now, charon is logging to /var/log/charon.log (setup copied
and pasted from [1].

What should I grep? :-)

I have also the output from 'ip -s x p' and 'ip -s x s'

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests)

Tobias Brunner

2018-07-10 12:18:26 UTC

Permalink

Hi Marco,

> After nearly 2 months it happened again:
>
> ts-20.96.144.0{126302}: INSTALLED, TUNNEL, reqid 244, ESP SPIs: cd63dff4_i 5215984b_o
> ts-20.96.144.0{126302}: AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 2988620 bytes_i (6591 pkts, 314s ago), 2048852 bytes_o, rekeying in 5 hours
> ts-20.96.144.0{126302}: 10.28.155.0/24 === 20.96.144.0/23
> ts-20.96.216.0{126305}: INSTALLED, TUNNEL, reqid 246, ESP SPIs: c5504cbc_i 5d35c82a_o
> ts-20.96.216.0{126305}: AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 169442 bytes_i, 40867 bytes_o (169 pkts, 301s ago), rekeying in 6 hours
> ts-20.96.216.0{126305}: 10.28.155.0/24 === 20.96.216.0/21
> ts-20.96.226.0{126325}: INSTALLED, TUNNEL, reqid 247, ESP SPIs: c28f61dc_i e0a84ea4_o
> ts-20.96.226.0{126325}: AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 58816 bytes_i, 61681 bytes_o (243 pkts, 261s ago), rekeying in 6 hours
> ts-20.96.226.0{126325}: 10.28.155.0/24 === 20.96.226.0/24
>
> Now, charon is logging to /var/log/charon.log (setup copied
> and pasted from [1].
>
> What should I grep? :-)
>
> I have also the output from 'ip -s x p' and 'ip -s x s'

Look for details on these policies and SAs (using the SPIs and
selectors/reqids when searching). In the log also check the messages
around any with these information (those logged by the same thread).

Regards,
Tobias