Ayyash, Mohammad (NSN - FI/Espoo)
2010-05-19 12:37:54 UTC
Hi,
I've been trying to find out what is the difference between hold and
clear in strongswan (IKEv2). The documentation is very vague!
I made a very simple setup, to test a dead peer. After configuring two
ends, start ping to see an established IPSec SA in SAD. Then just "kill
-sigstop" one end, and see what the other end does.
Here is conf file used on both ends (of course, after switching the IP
addresses around), which is supposed to be very simple example
config setup
charonstart=yes
plutostart=no
charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
conn %default
keyexchange=ikev2
auto=route
mobike=no
ca strongswan
cacert=/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem
conn CONFIG
rekeymargin=2880
rekeyfuzz=100%
left=40.0.0.1
right=20.0.0.1
leftsubnet=30.0.0.0/24
rightsubnet=10.0.0.0/24
leftprotoport=%any
rightprotoport=%any
authby=secret
leftid=40.0.0.1
rightid=20.0.0.1
ike=aes128-md5-modp1536
esp=aes128-sha1
type=tunnel
ikelifetime=28800s
keylife=28800s
dpdaction=hold
dpddelay=10
Here are the logs from the end which was not stopped, for two cases,
first when dpdaction is clear, and second is when dpdaction is hold:
dpdaction = clear:
------------------
09[IKE] giving up after 5 retransmits
09[IKE] IKE_SA CONFIG[1] state change: ESTABLISHED => DESTROYING
09[KNL] deleting SAD entry with SPI c6edb535
09[KNL] deleted SAD entry with SPI c6edb535
09[KNL] deleting SAD entry with SPI c44de4f7
09[KNL] deleted SAD entry with SPI c44de4f7
09[KNL] deleting policy 30.0.0.0/24 === 10.0.0.0/24 out
09[KNL] policy still used by another CHILD_SA, not removed
09[KNL] deleting policy 10.0.0.0/24 === 30.0.0.0/24 in
09[KNL] policy still used by another CHILD_SA, not removed
09[KNL] deleting policy 10.0.0.0/24 === 30.0.0.0/24 fwd
09[KNL] policy still used by another CHILD_SA, not removed
01[JOB] got event, queuing job for execution
01[JOB] next event in 22774s 467ms, waiting
dpdaction = hold:
-----------------
14[IKE] giving up after 5 retransmits
14[CFG] CHILD_SA named 'CONFIG' already routed
14[IKE] IKE_SA CONFIG[1] state change: ESTABLISHED => DESTROYING
14[KNL] deleting SAD entry with SPI c58b0d94
14[KNL] deleted SAD entry with SPI c58b0d94
14[KNL] deleting SAD entry with SPI c0cdabf0
14[KNL] deleted SAD entry with SPI c0cdabf0
14[KNL] deleting policy 30.0.0.0/24 === 10.0.0.0/24 out
14[KNL] policy still used by another CHILD_SA, not removed
14[KNL] deleting policy 10.0.0.0/24 === 30.0.0.0/24 in
14[KNL] policy still used by another CHILD_SA, not removed
14[KNL] deleting policy 10.0.0.0/24 === 30.0.0.0/24 fwd
14[KNL] policy still used by another CHILD_SA, not removed
01[JOB] got event, queuing job for execution
01[JOB] next event in 21045s 504ms, waiting
In both cases, when giving up, SAD is cleared (ip xfrm state returns
nothing). However, as evident from the log, SPD policies are not
touched. (I wonder which is the other CHILD_SA... there isn't any other
IPsec configurations)
dpdaction = restart seems to be meaning full, it immediately tries to
renegotiate IKE SA (log not shown here).
I've been trying to find out what is the difference between hold and
clear in strongswan (IKEv2). The documentation is very vague!
I made a very simple setup, to test a dead peer. After configuring two
ends, start ping to see an established IPSec SA in SAD. Then just "kill
-sigstop" one end, and see what the other end does.
Here is conf file used on both ends (of course, after switching the IP
addresses around), which is supposed to be very simple example
config setup
charonstart=yes
plutostart=no
charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
conn %default
keyexchange=ikev2
auto=route
mobike=no
ca strongswan
cacert=/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem
conn CONFIG
rekeymargin=2880
rekeyfuzz=100%
left=40.0.0.1
right=20.0.0.1
leftsubnet=30.0.0.0/24
rightsubnet=10.0.0.0/24
leftprotoport=%any
rightprotoport=%any
authby=secret
leftid=40.0.0.1
rightid=20.0.0.1
ike=aes128-md5-modp1536
esp=aes128-sha1
type=tunnel
ikelifetime=28800s
keylife=28800s
dpdaction=hold
dpddelay=10
Here are the logs from the end which was not stopped, for two cases,
first when dpdaction is clear, and second is when dpdaction is hold:
dpdaction = clear:
------------------
09[IKE] giving up after 5 retransmits
09[IKE] IKE_SA CONFIG[1] state change: ESTABLISHED => DESTROYING
09[KNL] deleting SAD entry with SPI c6edb535
09[KNL] deleted SAD entry with SPI c6edb535
09[KNL] deleting SAD entry with SPI c44de4f7
09[KNL] deleted SAD entry with SPI c44de4f7
09[KNL] deleting policy 30.0.0.0/24 === 10.0.0.0/24 out
09[KNL] policy still used by another CHILD_SA, not removed
09[KNL] deleting policy 10.0.0.0/24 === 30.0.0.0/24 in
09[KNL] policy still used by another CHILD_SA, not removed
09[KNL] deleting policy 10.0.0.0/24 === 30.0.0.0/24 fwd
09[KNL] policy still used by another CHILD_SA, not removed
01[JOB] got event, queuing job for execution
01[JOB] next event in 22774s 467ms, waiting
dpdaction = hold:
-----------------
14[IKE] giving up after 5 retransmits
14[CFG] CHILD_SA named 'CONFIG' already routed
14[IKE] IKE_SA CONFIG[1] state change: ESTABLISHED => DESTROYING
14[KNL] deleting SAD entry with SPI c58b0d94
14[KNL] deleted SAD entry with SPI c58b0d94
14[KNL] deleting SAD entry with SPI c0cdabf0
14[KNL] deleted SAD entry with SPI c0cdabf0
14[KNL] deleting policy 30.0.0.0/24 === 10.0.0.0/24 out
14[KNL] policy still used by another CHILD_SA, not removed
14[KNL] deleting policy 10.0.0.0/24 === 30.0.0.0/24 in
14[KNL] policy still used by another CHILD_SA, not removed
14[KNL] deleting policy 10.0.0.0/24 === 30.0.0.0/24 fwd
14[KNL] policy still used by another CHILD_SA, not removed
01[JOB] got event, queuing job for execution
01[JOB] next event in 21045s 504ms, waiting
In both cases, when giving up, SAD is cleared (ip xfrm state returns
nothing). However, as evident from the log, SPD policies are not
touched. (I wonder which is the other CHILD_SA... there isn't any other
IPsec configurations)
dpdaction = restart seems to be meaning full, it immediately tries to
renegotiate IKE SA (log not shown here).