Project

General

Profile

Actions

Bug #7325

closed

IPsec VPN Phase2 assigned with idem reqid routing a other VPN Phase2

Added by Thierry Laurier about 7 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
-
Start date:
02/27/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.3
Affected Architecture:

Description

before create new vpn ipsec :

ipsec statusall
Status of IKE charon daemon (weakSwan 5.5.1, FreeBSD 10.3-RELEASE-p16, amd64):
  uptime: 6 minutes, since Feb 27 11:19:02 2017
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fk
Listening IP addresses:
  10.128.40.5
  10.128.40.1
  185.99.148.5
  185.99.148.254
  10.128.83.252
  10.128.83.254
Connections:
   bypasslan:  %any...%any  IKEv1/2
   bypasslan:   local:  uses public key authentication
   bypasslan:   remote: uses public key authentication
   bypasslan:   child:  10.128.40.0/23|/0 === 10.128.40.0/23|/0 PASS
     con1000:  185.99.148.254...185.60.92.210  IKEv1 Aggressive, dpddelay=5s
     con1000:   local:  [185.99.148.254] uses pre-shared key authentication
     con1000:   remote: [185.60.92.210] uses pre-shared key authentication
     con1000:   child:  10.128.40.0/23|/0 === 172.16.30.0/24|/0 TUNNEL, dpdaction=restart
     con1001:   child:  10.128.40.0/23|/0 === 172.16.0.0/24|/0 TUNNEL, dpdaction=restart
     con1002:   child:  10.128.40.0/23|/0 === 172.16.50.0/24|/0 TUNNEL, dpdaction=restart
     con1003:   child:  10.128.40.0/23|/0 === 172.16.10.0/24|/0 TUNNEL, dpdaction=restart
Shunted Connections:
   bypasslan:  10.128.40.0/23|/0 === 10.128.40.0/23|/0 PASS
Routed Connections:
     con1003{20}:  ROUTED, TUNNEL, reqid 4
     con1003{20}:   10.128.40.0/23|/0 === 172.16.10.0/24|/0
     con1002{19}:  ROUTED, TUNNEL, reqid 3
     con1002{19}:   10.128.40.0/23|/0 === 172.16.50.0/24|/0
     con1001{18}:  ROUTED, TUNNEL, reqid 2
     con1001{18}:   10.128.40.0/23|/0 === 172.16.0.0/24|/0
     con1000{17}:  ROUTED, TUNNEL, reqid 1
     con1000{17}:   10.128.40.0/23|/0 === 172.16.30.0/24|/0
Security Associations (1 up, 0 connecting):
     con1000[1]: ESTABLISHED 6 minutes ago, 185.99.148.254[185.99.148.254]...185.60.92.210[185.60.92.210]
     con1000[1]: IKEv1 SPIs: 575c35e87396b74c_i* 605b37d0cfe6e215_r, pre-shared key reauthentication in 3 hours
     con1000[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     con1000{5}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca58444b_i 4243f57b_o
     con1000{5}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i (0 pkts, 400s ago), 2584 bytes_o (17 pkts, 6s ago), rekeying in 36 minutes
     con1000{5}:   10.128.40.0/23|/0 === 172.16.30.0/24|/0
     con1001{6}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1ed5da8_i 6b84dc96_o
     con1001{6}:  AES_CBC_128/HMAC_SHA1_96, 1381467 bytes_i (9768 pkts, 0s ago), 6522568 bytes_o (10161 pkts, 0s ago), rekeying in 36 minutes
     con1001{6}:   10.128.40.0/23|/0 === 172.16.0.0/24|/0
     con1002{7}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: cfb9b2f2_i b73a9f70_o
     con1002{7}:  AES_CBC_128/HMAC_SHA1_96, 4704 bytes_i (56 pkts, 17s ago), 8512 bytes_o (56 pkts, 17s ago), rekeying in 38 minutes
     con1002{7}:   10.128.40.0/23|/0 === 172.16.50.0/24|/0
     con1003{8}:  INSTALLED, TUNNEL, reqid 4, ESP SPIs: cc175f17_i 126cf511_o
     con1003{8}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i (0 pkts, 347s ago), 2280 bytes_o (15 pkts, 2s ago), rekeying in 37 minutes
     con1003{8}:   10.128.40.0/23|/0 === 172.16.10.0/24|/0

After created a new IPSec VPN:

ipsec statusall
Status of IKE charon daemon (weakSwan 5.5.1, FreeBSD 10.3-RELEASE-p16, amd64):
  uptime: 7 minutes, since Feb 27 11:19:02 2017
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fk
Listening IP addresses:
  10.128.40.5
  10.128.40.1
  185.99.148.5
  185.99.148.254
  10.128.83.252
  10.128.83.254
Connections:
   bypasslan:  %any...%any  IKEv1/2
   bypasslan:   local:  uses public key authentication
   bypasslan:   remote: uses public key authentication
   bypasslan:   child:  10.128.40.0/23|/0 === 10.128.40.0/23|/0 PASS
     con1000:  185.99.148.254...185.60.92.210  IKEv1 Aggressive, dpddelay=5s
     con1000:   local:  [185.99.148.254] uses pre-shared key authentication
     con1000:   remote: [185.60.92.210] uses pre-shared key authentication
     con1000:   child:  10.128.40.0/23|/0 === 172.16.30.0/24|/0 TUNNEL, dpdaction=restart
     con1001:   child:  10.128.83.0/24|/0 === 172.16.30.0/24|/0 TUNNEL, dpdaction=restart
     con1002:   child:  10.128.40.0/23|/0 === 172.16.0.0/24|/0 TUNNEL, dpdaction=restart
     con1003:   child:  10.128.40.0/23|/0 === 172.16.50.0/24|/0 TUNNEL, dpdaction=restart
     con1004:   child:  10.128.40.0/23|/0 === 172.16.10.0/24|/0 TUNNEL, dpdaction=restart
Shunted Connections:
   bypasslan:  10.128.40.0/23|/0 === 10.128.40.0/23|/0 PASS
Routed Connections:
     con1004{25}:  ROUTED, TUNNEL, reqid 4
     con1004{25}:   10.128.40.0/23|/0 === 172.16.10.0/24|/0
     con1003{24}:  ROUTED, TUNNEL, reqid 4
     con1003{24}:   10.128.40.0/23|/0 === 172.16.50.0/24|/0
     con1002{23}:  ROUTED, TUNNEL, reqid 3
     con1002{23}:   10.128.40.0/23|/0 === 172.16.0.0/24|/0
     con1001{22}:  ROUTED, TUNNEL, reqid 2
     con1001{22}:   10.128.83.0/24|/0 === 172.16.30.0/24|/0
     con1000{21}:  ROUTED, TUNNEL, reqid 1
     con1000{21}:   10.128.40.0/23|/0 === 172.16.30.0/24|/0
Security Associations (1 up, 0 connecting):
     con1000[1]: ESTABLISHED 7 minutes ago, 185.99.148.254[185.99.148.254]...185.60.92.210[185.60.92.210]
     con1000[1]: IKEv1 SPIs: 575c35e87396b74c_i* 605b37d0cfe6e215_r, pre-shared key reauthentication in 3 hours
     con1000[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     con1000{5}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca58444b_i 4243f57b_o
     con1000{5}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i (0 pkts, 426s ago), 3192 bytes_o (21 pkts, 3s ago), rekeying in 35 minutes
     con1000{5}:   10.128.40.0/23|/0 === 172.16.30.0/24|/0
     con1001{6}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1ed5da8_i 6b84dc96_o
     con1001{6}:  AES_CBC_128/HMAC_SHA1_96, 1466152 bytes_i (10241 pkts, 0s ago), 6808120 bytes_o (10641 pkts, 0s ago), rekeying in 36 minutes
     con1001{6}:   10.128.40.0/23|/0 === 172.16.0.0/24|/0
     con1002{7}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: cfb9b2f2_i b73a9f70_o
     con1002{7}:  AES_CBC_128/HMAC_SHA1_96, 6384 bytes_i (76 pkts, 3s ago), 11552 bytes_o (76 pkts, 3s ago), rekeying in 38 minutes
     con1002{7}:   10.128.40.0/23|/0 === 172.16.50.0/24|/0
     con1003{8}:  INSTALLED, TUNNEL, reqid 4, ESP SPIs: cc175f17_i 126cf511_o
     con1003{8}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i (0 pkts, 373s ago), 2280 bytes_o (15 pkts, 28s ago), rekeying in 37 minutes
     con1003{8}:   10.128.40.0/23|/0 === 172.16.10.0/24|/0

A new VPN assigned it's ok but old VPN (con1003 et con1004 ) is assigned with reqid 4. A result VPN on peer not functionnal.

in shell, ipsec restart resolv a reqid assignation.

Actions #1

Updated by Jim Thompson about 7 years ago

  • Assignee set to Luiz Souza
  • Priority changed from High to Normal
Actions #2

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Closed

Old report and no recent recurrences. Lots of things in this area have changed, so most likely it's either fixed no longer relevant.

Actions

Also available in: Atom PDF