Hello!
We are using strongSwan 5.6.2 on a Linux kernel 4.1.39.
Our problem is, that after some uptime the strongswan rejects connections with
the following message:
charon: 23422[CFG] unable to install policy 10.0.0.0/8 === 192.168.3.67/32
out for reqid 14832, the same policy for reqid 4388 exists
If we restart strongswan, the connections begin to work correctly again.
The installed policy (in this case) is the following:
src 10.0.0.0/8 dst 192.168.3.67/32
dir out priority 379519 ptype main
tmpl src 217.6.20.66 dst 84.160.101.118
proto esp spi 0x0f95ddf2 reqid 4388 mode tunnel
The connections are mainly from iPhones and are using IKEv2.
Any ideas what causes this?
Is there an option to force the replacement of an policy?
I already tried to change "auto=add" to "auto=route", which I found in a
description
of a similar problem, but that changed nothing...
Regards
Sven Anders
---8X-
Here is the configuration:
ipsec.conf:
---
config setup
uniqueids=never
charondebug = ike 2, net 2, pts 2, lib 2, tls 2, cfg 3, knl 2
conn rw-base
fragmentation=yes
dpdtimeout=90s
dpddelay=30s
dpdaction=clear
conn rw-config
also=rw-base
reauth=no
rekey=no
ike=aes256-sha2_256-prfsha256-modp1024-modp2048,aes256gcm16-prfsha384-modp3072!
esp=aes256-sha2_256-prfsha256,aes256-sha1,aes256gcm16-modp3072!
leftsubnet=10.0.0.0/8 # Split tunnel config
leftid="vpn.company.net"
leftcert=server.crt
leftsendcert=always # not "never"
left=217.6.20.66
lefthostaccess=yes
rightdns=10.1.3.10, 10.1.3.11
rightsourceip=%static, %dynamic
conn ikev2-pubkey
also=rw-config
keyexchange=ikev2
auto=route
strongswan.conf
---
charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } }
include strongswan.d/*.conf
charon {
install_routes = no
install_virtual_ip = no
crypto_test { bench = yes }
plugins {
attr-sql {
database = sqlite:///var/lib/ipsec/ippool.sqlite3
}
attr {
dns = 10.1.3.10, 10.1.3.11
25 = company.local
split-include = 10.0.0.0/8
split-exclude = 0.0.0.0/0
28675 = company.local
}
}
Here is the log file:
-
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] peer supports MOBIKE
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] authentication of
'vpn.company.net' (myself) with RSA signature successful
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] IKE_SA ikev2-pubkey[18259]
established between 217.6.20.66[vpn.company.net]...188.238.227
.128[joko.cl...@company.fi]
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] IKE_SA ikev2-pubkey[18259]
state change: CONNECTING => ESTABLISHED
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] sending end entity cert "C=DE,
ST=BY, O=Company, CN=vpn.company.net"
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] peer requested virtual IP %any
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] no available address found in
pool 'static'
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] acquired new lease for address
192.168.3.67 in pool 'dynamic'
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] assigning virtual IP
192.168.3.67 to peer 'joko.cl...@company.fi'
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] peer requested virtual IP %any6
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] no virtual IP found for %any6
requested by 'joko.cl...@company.fi'
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building INTERNAL_IP4_DNS
attribute
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building INTERNAL_IP4_DNS
attribute
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building (25) attribute
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building UNITY_SPLITDNS_NAME
attribute
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building INTERNAL_IP4_DNS
attribute
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building INTERNAL_IP4_DNS
attribute
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] looking for a child config for
0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] proposing traffic selectors
for us:
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] 10.0.0.0/8
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] proposing traffic selectors
for other:
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] 192.168.3.67/32
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] candidate "ikev2-pubkey"
with prio 2+2
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] found matching child config
"ikev2-pubkey" with prio 4
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] selecting proposal:
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] proposal matches
Nov