Actions
Bug #7325
closedIPsec VPN Phase2 assigned with idem reqid routing a other VPN Phase2
Start date:
02/27/2017
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.3
Affected Architecture:
Description
before create new vpn ipsec :
ipsec statusall Status of IKE charon daemon (weakSwan 5.5.1, FreeBSD 10.3-RELEASE-p16, amd64): uptime: 6 minutes, since Feb 27 11:19:02 2017 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fk Listening IP addresses: 10.128.40.5 10.128.40.1 185.99.148.5 185.99.148.254 10.128.83.252 10.128.83.254 Connections: bypasslan: %any...%any IKEv1/2 bypasslan: local: uses public key authentication bypasslan: remote: uses public key authentication bypasslan: child: 10.128.40.0/23|/0 === 10.128.40.0/23|/0 PASS con1000: 185.99.148.254...185.60.92.210 IKEv1 Aggressive, dpddelay=5s con1000: local: [185.99.148.254] uses pre-shared key authentication con1000: remote: [185.60.92.210] uses pre-shared key authentication con1000: child: 10.128.40.0/23|/0 === 172.16.30.0/24|/0 TUNNEL, dpdaction=restart con1001: child: 10.128.40.0/23|/0 === 172.16.0.0/24|/0 TUNNEL, dpdaction=restart con1002: child: 10.128.40.0/23|/0 === 172.16.50.0/24|/0 TUNNEL, dpdaction=restart con1003: child: 10.128.40.0/23|/0 === 172.16.10.0/24|/0 TUNNEL, dpdaction=restart Shunted Connections: bypasslan: 10.128.40.0/23|/0 === 10.128.40.0/23|/0 PASS Routed Connections: con1003{20}: ROUTED, TUNNEL, reqid 4 con1003{20}: 10.128.40.0/23|/0 === 172.16.10.0/24|/0 con1002{19}: ROUTED, TUNNEL, reqid 3 con1002{19}: 10.128.40.0/23|/0 === 172.16.50.0/24|/0 con1001{18}: ROUTED, TUNNEL, reqid 2 con1001{18}: 10.128.40.0/23|/0 === 172.16.0.0/24|/0 con1000{17}: ROUTED, TUNNEL, reqid 1 con1000{17}: 10.128.40.0/23|/0 === 172.16.30.0/24|/0 Security Associations (1 up, 0 connecting): con1000[1]: ESTABLISHED 6 minutes ago, 185.99.148.254[185.99.148.254]...185.60.92.210[185.60.92.210] con1000[1]: IKEv1 SPIs: 575c35e87396b74c_i* 605b37d0cfe6e215_r, pre-shared key reauthentication in 3 hours con1000[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 con1000{5}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca58444b_i 4243f57b_o con1000{5}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i (0 pkts, 400s ago), 2584 bytes_o (17 pkts, 6s ago), rekeying in 36 minutes con1000{5}: 10.128.40.0/23|/0 === 172.16.30.0/24|/0 con1001{6}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1ed5da8_i 6b84dc96_o con1001{6}: AES_CBC_128/HMAC_SHA1_96, 1381467 bytes_i (9768 pkts, 0s ago), 6522568 bytes_o (10161 pkts, 0s ago), rekeying in 36 minutes con1001{6}: 10.128.40.0/23|/0 === 172.16.0.0/24|/0 con1002{7}: INSTALLED, TUNNEL, reqid 3, ESP SPIs: cfb9b2f2_i b73a9f70_o con1002{7}: AES_CBC_128/HMAC_SHA1_96, 4704 bytes_i (56 pkts, 17s ago), 8512 bytes_o (56 pkts, 17s ago), rekeying in 38 minutes con1002{7}: 10.128.40.0/23|/0 === 172.16.50.0/24|/0 con1003{8}: INSTALLED, TUNNEL, reqid 4, ESP SPIs: cc175f17_i 126cf511_o con1003{8}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i (0 pkts, 347s ago), 2280 bytes_o (15 pkts, 2s ago), rekeying in 37 minutes con1003{8}: 10.128.40.0/23|/0 === 172.16.10.0/24|/0
After created a new IPSec VPN:
ipsec statusall Status of IKE charon daemon (weakSwan 5.5.1, FreeBSD 10.3-RELEASE-p16, amd64): uptime: 7 minutes, since Feb 27 11:19:02 2017 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fk Listening IP addresses: 10.128.40.5 10.128.40.1 185.99.148.5 185.99.148.254 10.128.83.252 10.128.83.254 Connections: bypasslan: %any...%any IKEv1/2 bypasslan: local: uses public key authentication bypasslan: remote: uses public key authentication bypasslan: child: 10.128.40.0/23|/0 === 10.128.40.0/23|/0 PASS con1000: 185.99.148.254...185.60.92.210 IKEv1 Aggressive, dpddelay=5s con1000: local: [185.99.148.254] uses pre-shared key authentication con1000: remote: [185.60.92.210] uses pre-shared key authentication con1000: child: 10.128.40.0/23|/0 === 172.16.30.0/24|/0 TUNNEL, dpdaction=restart con1001: child: 10.128.83.0/24|/0 === 172.16.30.0/24|/0 TUNNEL, dpdaction=restart con1002: child: 10.128.40.0/23|/0 === 172.16.0.0/24|/0 TUNNEL, dpdaction=restart con1003: child: 10.128.40.0/23|/0 === 172.16.50.0/24|/0 TUNNEL, dpdaction=restart con1004: child: 10.128.40.0/23|/0 === 172.16.10.0/24|/0 TUNNEL, dpdaction=restart Shunted Connections: bypasslan: 10.128.40.0/23|/0 === 10.128.40.0/23|/0 PASS Routed Connections: con1004{25}: ROUTED, TUNNEL, reqid 4 con1004{25}: 10.128.40.0/23|/0 === 172.16.10.0/24|/0 con1003{24}: ROUTED, TUNNEL, reqid 4 con1003{24}: 10.128.40.0/23|/0 === 172.16.50.0/24|/0 con1002{23}: ROUTED, TUNNEL, reqid 3 con1002{23}: 10.128.40.0/23|/0 === 172.16.0.0/24|/0 con1001{22}: ROUTED, TUNNEL, reqid 2 con1001{22}: 10.128.83.0/24|/0 === 172.16.30.0/24|/0 con1000{21}: ROUTED, TUNNEL, reqid 1 con1000{21}: 10.128.40.0/23|/0 === 172.16.30.0/24|/0 Security Associations (1 up, 0 connecting): con1000[1]: ESTABLISHED 7 minutes ago, 185.99.148.254[185.99.148.254]...185.60.92.210[185.60.92.210] con1000[1]: IKEv1 SPIs: 575c35e87396b74c_i* 605b37d0cfe6e215_r, pre-shared key reauthentication in 3 hours con1000[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 con1000{5}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca58444b_i 4243f57b_o con1000{5}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i (0 pkts, 426s ago), 3192 bytes_o (21 pkts, 3s ago), rekeying in 35 minutes con1000{5}: 10.128.40.0/23|/0 === 172.16.30.0/24|/0 con1001{6}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1ed5da8_i 6b84dc96_o con1001{6}: AES_CBC_128/HMAC_SHA1_96, 1466152 bytes_i (10241 pkts, 0s ago), 6808120 bytes_o (10641 pkts, 0s ago), rekeying in 36 minutes con1001{6}: 10.128.40.0/23|/0 === 172.16.0.0/24|/0 con1002{7}: INSTALLED, TUNNEL, reqid 3, ESP SPIs: cfb9b2f2_i b73a9f70_o con1002{7}: AES_CBC_128/HMAC_SHA1_96, 6384 bytes_i (76 pkts, 3s ago), 11552 bytes_o (76 pkts, 3s ago), rekeying in 38 minutes con1002{7}: 10.128.40.0/23|/0 === 172.16.50.0/24|/0 con1003{8}: INSTALLED, TUNNEL, reqid 4, ESP SPIs: cc175f17_i 126cf511_o con1003{8}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i (0 pkts, 373s ago), 2280 bytes_o (15 pkts, 28s ago), rekeying in 37 minutes con1003{8}: 10.128.40.0/23|/0 === 172.16.10.0/24|/0
A new VPN assigned it's ok but old VPN (con1003 et con1004 ) is assigned with reqid 4. A result VPN on peer not functionnal.
in shell, ipsec restart resolv a reqid assignation.
Updated by Jim Thompson about 7 years ago
- Assignee set to Luiz Souza
- Priority changed from High to Normal
Updated by Jim Pingle over 4 years ago
- Status changed from New to Closed
Old report and no recent recurrences. Lots of things in this area have changed, so most likely it's either fixed no longer relevant.
Actions