Hi All, I am using the ikev1, i see this multiple ChildSA INSTALLED , i have enabled make before break. I am not to reproduce this issue. But when this happens my traffic is effected. Below is the config that i am trying to reproduce.
{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid": "@Dr_an", "text": "06[CFG] conn sl20:", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid": "@07VRwC", "text": "06[CFG] child sl20childsa:", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid": "@iFuhtB", "text": "06[CFG] rekey_time = 100", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid": "@Py5B_C", "text": "06[CFG] life_time = 150", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid": "@RscO8D", "text": "06[CFG] rand_time = 50", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid": "@kOwrfC", "text": "06[CFG] rekey_bytes = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid": "@NcePjB", "text": "06[CFG] life_bytes = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid": "@ySflTB", "text": "06[CFG] rand_bytes = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid": "@7bKJCD", "text": "06[CFG] rekey_packets = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid": "@ounha", "text": "06[CFG] life_packets = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid": "@pibZ9D", "text": "06[CFG] rand_packets = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid": "@GKtK2D", "text": "06[CFG] updown = (null)", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@7v8q5C", "text": "06[CFG] hostaccess = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@E6R_wB", "text": "06[CFG] ipcomp = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@OXIEO", "text": "06[CFG] mode = TUNNEL", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@aZ8jZB", "text": "06[CFG] policies = 1", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@kZYOj", "text": "06[CFG] policies_fwd_out = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@WR3uwD", "text": "06[CFG] dpd_action = restart", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@-yRFqD", "text": "06[CFG] start_action = clear", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@RfO9GD", "text": "06[CFG] close_action = clear", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@CetbUC", "text": "06[CFG] reqid = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@CGw7NC", "text": "06[CFG] tfc = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@kXj8sD", "text": "06[CFG] priority = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@b4xDE", "text": "06[CFG] interface = (null)", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@3fu6-B", "text": "06[CFG] mark_in = 20/4294967295", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@obPY4B", "text": "06[CFG] mark_in_sa = 1", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@oXu69C", "text": "06[CFG] mark_out = 20/4294967295", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@zw-OuB", "text": "06[CFG] inactivity = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@Vx5JF", "text": "06[CFG] proposals = ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@zuQWzD", "text": "06[CFG] local_ts = 0.0.0.0/0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@6d6OxD", "text": "06[CFG] remote_ts = 0.0.0.0/0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@sBphOC", "text": "06[CFG] hw_offload = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@nkKZZ", "text": "06[CFG] sha256_96 = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@E2HSu", "text": "06[CFG] version = 1", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@nZsV-D", "text": "06[CFG] local_addrs = 10.24.18.209", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@GahZ3C", "text": "06[CFG] remote_addrs = 199.168.148.132", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@CQgdxB", "text": "06[CFG] local_port = 500", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@oKxHHB", "text": "06[CFG] remote_port = 500", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@IAVUdB", "text": "06[CFG] send_certreq = 1", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@Mr6lAD", "text": "06[CFG] send_cert = CERT_SEND_IF_ASKED", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@p0p_7D", "text": "06[CFG] mobike = 1", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@-gM2eB", "text": "06[CFG] aggressive = 1", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@9XezrC", "text": "06[CFG] dscp = 0x00", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@GVWNi", "text": "06[CFG] encap = 1", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@OhCYHB", "text": "06[CFG] dpd_delay = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@HziRLC", "text": "06[CFG] dpd_timeout = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@LX0b-C", "text": "06[CFG] fragmentation = 2", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@_QNrHB", "text": "06[CFG] unique = UNIQUE_NO", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@ON2SDD", "text": "06[CFG] keyingtries = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@QzwJuB", "text": "06[CFG] reauth_time = 0", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@57mOTD", "text": "06[CFG] rekey_time = 150", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@SXfBlD", "text": "06[CFG] over_time = 15", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@hPL6KD", "text": "06[CFG] rand_time = 15", "_fac": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@sp5P5C", "text": "06[CFG] proposals = IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024", "_fac": "local1", "_level": "info" } I also see multiple solution to this issue, below are some of them, i want to first reproduce this issue to give a try on the solutions. *1) reauth=no* *2) uniqueids = yes* 3) start_action = none *4) delete_rekeyed = yes* Any input to reproduce this issue, will be appreciated. Regards, Naveen On Fri, May 4, 2018 at 6:39 PM, Naveen Neelakanta < naveen.b.neelaka...@gmail.com> wrote: > Hi > > I have a ikev1 session up, however i also see multiple child SA, if leave > the seesion for a log run. Would like to understand on this scenario and > should i take any actions if these scenarios is seen . > > sl1childsa: #726, reqid 368, INSTALLED, TUNNEL-in-UDP, > ESP:AES_CBC-128/HMAC_SHA1_96 > installed 6854s ago, rekeying in 20343s, expires in 21947s > in 87e44243 (0x00000001), 0 bytes, 0 packets > out 01ba724f (0x00000001), 0 bytes, 0 packets, 118s ago > local 0.0.0.0/0 > remote 0.0.0.0/0 > sl1childsa: #727, reqid 368, INSTALLED, TUNNEL-in-UDP, > ESP:AES_CBC-128/HMAC_SHA1_96 > installed 6853s ago, rekeying in 20334s, expires in 21947s > in ad7acce9 (0x00000001), 0 bytes, 0 packets > out 0602acec (0x00000001), 0 bytes, 0 packets, 118s ago > local 0.0.0.0/0 > remote 0.0.0.0/0 > sl1childsa: #728, reqid 368, INSTALLED, TUNNEL-in-UDP, > ESP:AES_CBC-128/HMAC_SHA1_96 > installed 6853s ago, rekeying in 20261s, expires in 21947s > in 884e04f1 (0x00000001), 504 bytes, 6 packets, 119s ago > out 0a8309e2 (0x00000001), 588 bytes, 7 packets, 118s ago > local 0.0.0.0/0 > remote 0.0.0.0/0 > > I believe in ikev1 there is no rekey , its just reauth. > > Regards, > Naveen >