Hi !
I just got a problem after upgrade to 5.0.3:
The problem seems to be trap handling, here is the corresponding line:
Apr 12 08:15:57 rossini charon: 10[NET] sending packet: from XX.XX.XX.XX[500]
to YY.YY.YY.YY[500] (92 bytes)
Apr 12 08:16:25 rossini charon: 01[KNL] creating acquire job for policy
192.168.191.21/32[tcp/http] === 192.168.200.2/32[tcp/49212] with reqid {1}
Apr 12 08:16:25 rossini charon: 11[CFG] trap not found, unable to acquire reqid
1
My colleague restarted the service after that, just for your knowledge:
Apr 12 08:17:43 rossini charon: 00[DMN] signal of type SIGINT received.
Shutting down
Here are the CHID_SA messages corresponding to this connection
Apr 12 07:54:16 rossini charon: 15[IKE] CHILD_SA rw-client{1} established with
SPIs c3fa2b5f_i c6f09180_o and TS 0.0.0.0/0 === 192.168.200.0/24
Apr 12 07:55:34 rossini charon: 01[KNL] creating rekey job for ESP CHILD_SA
with SPI 8b62d81f and reqid {1}
Apr 12 07:59:06 rossini charon: 01[KNL] creating delete job for ESP CHILD_SA
with SPI cbc0646b and reqid {1}
Apr 12 07:59:06 rossini charon: 01[KNL] creating delete job for ESP CHILD_SA
with SPI 8b62d81f and reqid {1}
Apr 12 07:59:06 rossini charon: 08[IKE] closing expired CHILD_SA rw-client{1}
with SPIs cbc0646b_i 8b62d81f_o and TS 0.0.0.0/0 === 192.168.200.0/24
Apr 12 07:59:06 rossini charon: 08[IKE] sending DELETE for ESP CHILD_SA with
SPI cbc0646b
Apr 12 08:08:32 rossini charon: 01[KNL] creating rekey job for ESP CHILD_SA
with SPI c6f09180 and reqid {1}
Apr 12 08:08:33 rossini charon: 10[IKE] CHILD_SA rw-client{1} established with
SPIs cca8edf9_i 316275d5_o and TS 0.0.0.0/0 === 192.168.200.0/24
Apr 12 08:09:32 rossini charon: 01[KNL] creating rekey job for ESP CHILD_SA
with SPI c3fa2b5f and reqid {1}
Apr 12 08:14:16 rossini charon: 01[KNL] creating delete job for ESP CHILD_SA
with SPI c6f09180 and reqid {1}
Apr 12 08:14:16 rossini charon: 01[KNL] creating delete job for ESP CHILD_SA
with SPI c3fa2b5f and reqid {1}
Apr 12 08:14:16 rossini charon: 12[IKE] closing expired CHILD_SA rw-client{1}
with SPIs c3fa2b5f_i c6f09180_o and TS 0.0.0.0/0 === 192.168.200.0/24
Apr 12 08:14:16 rossini charon: 12[IKE] sending DELETE for ESP CHILD_SA with
SPI c3fa2b5f
Apr 12 08:17:43 rossini charon: 00[IKE] closing CHILD_SA rw-client{1} with SPIs
cca8edf9_i (94258 bytes) 316275d5_o (857068 bytes) and TS 0.0.0.0/0 ===
192.168.200.0/24
Apr 12 08:17:43 rossini charon: 00[IKE] sending DELETE for ESP CHILD_SA with
SPI cca8edf9
I think there was an active CHILD_SA, so why did the upper acquire job not work
?
Apr 12 08:08:33 rossini charon: 10[IKE] CHILD_SA rw-client{1} established with
SPIs cca8edf9_i 316275d5_o and TS 0.0.0.0/0 === 192.168.200.0/24
Apr 12 08:17:43 rossini charon: 00[IKE] closing CHILD_SA rw-client{1} with SPIs
cca8edf9_i (94258 bytes) 316275d5_o (857068 bytes) and TS 0.0.0.0/0 ===
192.168.200.0/24
Apr 12 08:17:43 rossini charon: 00[IKE] sending DELETE for ESP CHILD_SA with
SPI cca8edf9
Strongswan also thought it was up (I think this was generated just after the
acquire entry above)
Security Associations (1 up, 0 connecting):
rw-client[41]: ESTABLISHED 6 minutes ago,
XX.XX.XX.XX[ipsec-server.tld]...YY.YY.YY.YY[client-fqdn]
rw-client{1}: INSTALLED, TUNNEL, ESP SPIs: cca8edf9_i 316275d5_o
rw-client{1}: 0.0.0.0/0 === 192.168.200.0/24
Here is my config:
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
conn fritz-base
left=XX.XX.XX.XX
leftsubnet=0.0.0.0/0
[email protected]
rightallowany=yes
esp=aes256-sha1-modp1024
aggressive=yes
authby=secret
conn rw-client
also=fritz-base
#right=client-fqdn
right=%any
rightid=@client-fqdn
rightsubnet=192.168.200.0/24
auto=start
So my general question is: Why does an acquire job throw an error if the SA is
already established ?
Explanation:
xx.xx.xx.xx: Server IP [rossini]
yy.yy.yy.yy: Client IP
Kind regards,
André
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
