Project

General

Profile

Actions

Bug #4266

closed

Rekeying issues with IKEv1 and multiple P2s under some circumstances

Added by Chris Buechler almost 7 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
High
Category:
IPsec
Target version:
Start date:
01/23/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:

Description

Where you have multiple P2s configured on a single P1 with IKEv1, there are some rekeying issues under some circumstances that haven't been fully quantified yet.

Example logs you end up with from strongswan:

Jan 19 15:43:16 pf charon: 02[ENC] generating INFORMATIONAL_V1 request 3956259368 [ HASH N(DPD) ]
Jan 19 15:43:16 pf charon: 02[NET] sending packet: from ip1[500] to ip2[500] (92 bytes)
Jan 19 15:43:16 pf charon: 02[NET] received packet: from ip2[500] to ip1[500] (92 bytes)
Jan 19 15:43:16 pf charon: 02[ENC] parsed INFORMATIONAL_V1 request 735452451 [ HASH N(DPD_ACK) ]
Jan 19 15:43:20 pf charon: 02[NET] received packet: from ip3[500] to ip1[500] (364 bytes)
Jan 19 15:43:20 pf charon: 02[ENC] parsed QUICK_MODE request 141741184 [ HASH SA No KE ID ID ]
Jan 19 15:43:20 pf charon: 02[ENC] received HASH payload does not match
Jan 19 15:43:20 pf charon: 02[IKE] <con2000|13> integrity check failed
Jan 19 15:43:20 pf charon: 02[IKE] integrity check failed
Jan 19 15:43:20 pf charon: 02[ENC] generating INFORMATIONAL_V1 request 1348227468 [ HASH N(INVAL_HASH) ]
Jan 19 15:43:20 pf charon: 02[NET] sending packet: from ip1[500] to ip3[500] (76 bytes)
Jan 19 15:43:20 pf charon: 02[IKE] <con2000|13> QUICK_MODE request with message ID 141741184 processing failed
Jan 19 15:43:20 pf charon: 02[IKE] QUICK_MODE request with message ID 141741184 processing failed
Jan 19 15:43:21 pf charon: 02[IKE] <con2000|13> sending DPD request
Jan 19 15:43:21 pf charon: 02[IKE] sending DPD request
Jan 19 15:43:21 pf charon: 02[ENC] generating INFORMATIONAL_V1 request 3461990251 [ HASH N(DPD) ]
Jan 19 15:43:21 pf charon: 02[NET] sending packet: from ip1[500] to ip3[500] (92 bytes)
Jan 19 15:43:21 pf charon: 02[NET] received packet: from ip3[500] to ip1[500] (92 bytes)
Jan 19 15:43:21 pf charon: 02[ENC] parsed INFORMATIONAL_V1 request 3939011389 [ HASH N(DPD_ACK) ]
Jan 19 15:43:21 pf charon: 02[NET] received packet: from ip3[500] to ip1[500] (364 bytes)
Jan 19 15:43:21 pf charon: 02[ENC] parsed QUICK_MODE request 3030064237 [ HASH SA No KE ID ID ]
Jan 19 15:43:21 pf charon: 02[IKE] <con2000|13> detected rekeying of CHILD_SA con2000{4}
Jan 19 15:43:21 pf charon: 02[IKE] detected rekeying of CHILD_SA con2000{4}
Jan 19 15:43:21 pf charon: 02[ENC] generating QUICK_MODE response 3030064237 [ HASH SA No KE ID ID ]
Jan 19 15:43:21 pf charon: 02[NET] sending packet: from ip1[500] to ip3[500] (380 bytes)
Jan 19 15:43:21 pf charon: 02[NET] received packet: from ip3[500] to ip1[500] (76 bytes)
Jan 19 15:43:21 pf charon: 02[ENC] parsed INFORMATIONAL_V1 request 2447641578 [ HASH N(INVAL_ID) ]
Jan 19 15:43:21 pf charon: 02[IKE] <con2000|13> received INVALID_ID_INFORMATION error notify
Jan 19 15:43:21 pf charon: 02[IKE] received INVALID_ID_INFORMATION error notify
Jan 19 15:43:21 pf charon: 02[IKE] <con2000|13> received INVALID_ID_INFORMATION error notify
Jan 19 15:43:21 pf charon: 02[IKE] received INVALID_ID_INFORMATION error notify
Jan 19 15:43:26 pf charon: 16[NET] received packet: from ip3[500] to ip1[500] (364 bytes)
Jan 19 15:43:26 pf charon: 16[ENC] parsed QUICK_MODE request 84872551 [ HASH SA No KE ID ID ]
Jan 19 15:43:26 pf charon: 16[IKE] <con2000|13> detected rekeying of CHILD_SA con2000{4}
Jan 19 15:43:26 pf charon: 16[IKE] detected rekeying of CHILD_SA con2000{4}
Jan 19 15:43:26 pf charon: 16[ENC] generating QUICK_MODE response 84872551 [ HASH SA No KE ID ID ]
Jan 19 15:43:26 pf charon: 16[NET] sending packet: from ip1[500] to ip3[500] (380 bytes)
Jan 19 15:43:26 pf charon: 16[NET] received packet: from ip3[500] to ip1[500] (76 bytes)
Jan 19 15:43:26 pf charon: 16[ENC] parsed INFORMATIONAL_V1 request 4148709878 [ HASH N(INVAL_ID) ]
Jan 19 15:43:26 pf charon: 16[IKE] <con2000|13> received INVALID_ID_INFORMATION error notify
Jan 19 15:43:26 pf charon: 16[IKE] received INVALID_ID_INFORMATION error notify
Jan 19 15:43:26 pf charon: 16[IKE] <con2000|13> received INVALID_ID_INFORMATION error notify


Files

single_p2.PNG (49.3 KB) single_p2.PNG tb o, 03/16/2015 02:35 AM
Actions

Also available in: Atom PDF