[strongSwan] Problem: "unable to install policy -the same policy for reqid XXXX exists "
Hello!
We are using strongSwan 5.6.2 on a Linux kernel 4.1.39.
Our problem is, that after some uptime the strongswan rejects connections with
the following message:
charon: 23422[CFG] unable to install policy 10.0.0.0/8 === 192.168.3.67/32
out for reqid 14832, the same policy for reqid 4388 exists
If we restart strongswan, the connections begin to work correctly again.
The installed policy (in this case) is the following:
src 10.0.0.0/8 dst 192.168.3.67/32
dir out priority 379519 ptype main
tmpl src 217.6.20.66 dst 84.160.101.118
proto esp spi 0x0f95ddf2 reqid 4388 mode tunnel
The connections are mainly from iPhones and are using IKEv2.
Any ideas what causes this?
Is there an option to force the replacement of an policy?
I already tried to change "auto=add" to "auto=route", which I found in a
description
of a similar problem, but that changed nothing...
Regards
Sven Anders
---8X-
Here is the configuration:
ipsec.conf:
---
config setup
uniqueids=never
charondebug = ike 2, net 2, pts 2, lib 2, tls 2, cfg 3, knl 2
conn rw-base
fragmentation=yes
dpdtimeout=90s
dpddelay=30s
dpdaction=clear
conn rw-config
also=rw-base
reauth=no
rekey=no
ike=aes256-sha2_256-prfsha256-modp1024-modp2048,aes256gcm16-prfsha384-modp3072!
esp=aes256-sha2_256-prfsha256,aes256-sha1,aes256gcm16-modp3072!
leftsubnet=10.0.0.0/8 # Split tunnel config
leftid="vpn.company.net"
leftcert=server.crt
leftsendcert=always # not "never"
left=217.6.20.66
lefthostaccess=yes
rightdns=10.1.3.10, 10.1.3.11
rightsourceip=%static, %dynamic
conn ikev2-pubkey
also=rw-config
keyexchange=ikev2
auto=route
strongswan.conf
---
charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } }
include strongswan.d/*.conf
charon {
install_routes = no
install_virtual_ip = no
crypto_test { bench = yes }
plugins {
attr-sql {
database = sqlite:///var/lib/ipsec/ippool.sqlite3
}
attr {
dns = 10.1.3.10, 10.1.3.11
25 = company.local
split-include = 10.0.0.0/8
split-exclude = 0.0.0.0/0
28675 = company.local
}
}
Here is the log file:
-
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] peer supports MOBIKE
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] authentication of
'vpn.company.net' (myself) with RSA signature successful
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] IKE_SA ikev2-pubkey[18259]
established between 217.6.20.66[vpn.company.net]...188.238.227
.128[joko.cl...@company.fi]
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] IKE_SA ikev2-pubkey[18259]
state change: CONNECTING => ESTABLISHED
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] sending end entity cert "C=DE,
ST=BY, O=Company, CN=vpn.company.net"
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] peer requested virtual IP %any
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] no available address found in
pool 'static'
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] acquired new lease for address
192.168.3.67 in pool 'dynamic'
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] assigning virtual IP
192.168.3.67 to peer 'joko.cl...@company.fi'
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] peer requested virtual IP %any6
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] no virtual IP found for %any6
requested by 'joko.cl...@company.fi'
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building INTERNAL_IP4_DNS
attribute
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building INTERNAL_IP4_DNS
attribute
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building (25) attribute
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building UNITY_SPLITDNS_NAME
attribute
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building INTERNAL_IP4_DNS
attribute
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building INTERNAL_IP4_DNS
attribute
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] looking for a child config for
0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] proposing traffic selectors
for us:
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] 10.0.0.0/8
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] proposing traffic selectors
for other:
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] 192.168.3.67/32
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] candidate "ikev2-pubkey"
with prio 2+2
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] found matching child config
"ikev2-pubkey" with prio 4
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] selecting proposal:
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] proposal matches
Nov
Re: [strongSwan] Problem: "unable to install policy -the same policy for reqid XXXX exists "
Hi Sven, > We are using strongSwan 5.6.2 on a Linux kernel 4.1.39. Try using a newer strongSwan version. > The installed policy (in this case) is the following: > > src 10.0.0.0/8 dst 192.168.3.67/32 > dir out priority 379519 ptype main > tmpl src 217.6.20.66 dst 84.160.101.118 > proto esp spi 0x0f95ddf2 reqid 4388 mode tunnel Use the full log to see why it may have been left there. That log snippet you added is not really useful. > I already tried to change "auto=add" to "auto=route", which I found in a > description > of a similar problem, but that changed nothing... auto=route makes no sense on a gateway for roadwarriors. Regards, Tobias
Re: [strongSwan] Problem: "unable to install policy -the same policy for reqid XXXX exists "
Am 23.11.18 um 11:11 schrieb Tobias Brunner: > Hi Sven, > >> We are using strongSwan 5.6.2 on a Linux kernel 4.1.39. > > Try using a newer strongSwan version. So the problem is known? Which version should I use at least. Will 5.6.3 be enough or should I use 5.7.1 instead? >> The installed policy (in this case) is the following: >> >> src 10.0.0.0/8 dst 192.168.3.67/32 >> dir out priority 379519 ptype main >> tmpl src 217.6.20.66 dst 84.160.101.118 >> proto esp spi 0x0f95ddf2 reqid 4388 mode tunnel > > Use the full log to see why it may have been left there. That log > snippet you added is not really useful. There are many request and the log file is very long. What kind of message do you expect or what should I search for? >> I already tried to change "auto=add" to "auto=route", which I found in a >> description >> of a similar problem, but that changed nothing... > > auto=route makes no sense on a gateway for roadwarriors. Ok, just read about it in another similar problem and this was one idea to solve it (the race condition?)... Regards Sven Anders -- Sven Anders () UTF-8 Ribbon Campaign /\ Support plain text e-mail ANDURAS intranet security AG Messestrasse 3 - 94036 Passau - Germany Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55 Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. - Benjamin Franklin <>
Re: [strongSwan] Problem: "unable to install policy -the same policy for reqid XXXX exists "
Hi Sven, > So the problem is known? Not really, but maybe something changed that avoids the issue, and I don't particularly fancy debugging old versions. > Which version should I use at least. Will 5.6.3 be enough or > should I use 5.7.1 instead? If you consider updating, use the latest. > There are many request and the log file is very long. So? > What kind of message do you expect or what should I search for? For instance, messages around refcount changes of the policies. You can also post it somewhere for us to have a look at. Regards, Tobias
Re: [strongSwan] Problem: "unable to install policy -the same policy for reqid XXXX exists "
Am 28.11.18 um 11:31 schrieb Tobias Brunner: > Hi Sven, > >> So the problem is known? > > Not really, but maybe something changed that avoids the issue, and I > don't particularly fancy debugging old versions. > >> Which version should I use at least. Will 5.6.3 be enough or >> should I use 5.7.1 instead? > > If you consider updating, use the latest. I will do it, but it will take some time until we can deploy it to the customer... >> There are many request and the log file is very long. > > So? > >> What kind of message do you expect or what should I search for? > > For instance, messages around refcount changes of the policies. You can > also post it somewhere for us to have a look at. Thank you, I will send you a link to download it. If anybody want the log output too, to analyse it, I will send you the link. Regards Sven Anders -- Sven Anders () UTF-8 Ribbon Campaign /\ Support plain text e-mail ANDURAS intranet security AG Messestrasse 3 - 94036 Passau - Germany Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55 Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. - Benjamin Franklin
Re: [strongSwan] Problem: "unable to install policy -the same policy for reqid XXXX exists "
Hi Sven, You can try to manually specify the reqid in your ipsec.conf file, as per your log messages a second CHILD_SA is trying to install the same traffic selectors as a previous CHILD_SA. Also I believe there is a 'unique=yes' option that should reuse the same previously assigned reqid and prevent the creation of multiple CHILD_SA that may conflict with each other. On Fri, Nov 30, 2018 at 5:14 PM Sven Anders wrote: > Am 28.11.18 um 11:31 schrieb Tobias Brunner: > > Hi Sven, > > > >> So the problem is known? > > > > Not really, but maybe something changed that avoids the issue, and I > > don't particularly fancy debugging old versions. > > > >> Which version should I use at least. Will 5.6.3 be enough or > >> should I use 5.7.1 instead? > > > > If you consider updating, use the latest. > > I will do it, but it will take some time until we can deploy it > to the customer... > > >> There are many request and the log file is very long. > > > > So? > > > >> What kind of message do you expect or what should I search for? > > > > For instance, messages around refcount changes of the policies. You can > > also post it somewhere for us to have a look at. > > Thank you, > > I will send you a link to download it. If anybody want the log output too, > to analyse > it, I will send you the link. > > > Regards > Sven Anders > > -- > Sven Anders () UTF-8 Ribbon Campaign > /\ Support plain text > e-mail > ANDURAS intranet security AG > Messestrasse 3 - 94036 Passau - Germany > Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 > 50-55 > > Those who would give up essential Liberty, to purchase a little > temporary Safety, deserve neither Liberty nor Safety. > - Benjamin Franklin > >
Re: [strongSwan] Problem: "unable to install policy -the same policy for reqid XXXX exists "
Hi Sven, > I will send you a link to download it. If anybody want the log output too, to > analyse > it, I will send you the link. Thanks. I was actually pretty sure you worked together with Marcel Müller who opened #2840 last week (same problem, same version, German). See my analysis there at [1], because your problem seems to be exactly the same (the problematic SA/policy update is at Nov 29 12:14:42 in your log). Regards, Tobias [1] https://wiki.strongswan.org/issues/2840
