Project

General

Profile

Bug #8364

Multiple IPsec child SA entries

Added by Chris Macmahon about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
03/10/2018
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.3
Affected Architecture:

Description

Current Base System 2.4.3.a.20180309.1836

Connecting IPSec creates multiple ChildSA's:

Shell Output - ipsec statusall con10
Status of IKE charon daemon (strongSwan 5.6.2, FreeBSD 11.1-RELEASE-p7, amd64):
uptime: 23 hours, since Mar 09 16:16:15 2018
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 169
loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock counters
Listening IP addresses:
208.123.73.8
208.123.73.7
172.27.12.27
2610:160:11:12::27
2610:160:11:12::17
172.27.12.17
172.27.0.27
172.27.114.129
2610:160:11:f114::1
172.27.255.29
172.27.115.1
172.27.116.1
Connections:
con10: 208.123.73.7...chrism.pfsense.io IKEv2, dpddelay=10s
con10: local: [208.123.73.7] uses public key authentication
con10: cert: "C=US, ST=Texas, L=Austin, O=pfmechanics, E=, CN=208.123.73.7"
con10: remote: [chrism.pfsense.io] uses public key authentication
con10: ca: "C=US, ST=Texas, L=Austin, O=pfmechanics, E=, CN=IPsecCA"
con10: child: 172.27.0.0/16|/0 208.123.73.64/27|/0 === 172.21.25.0/24|/0 TUNNEL, dpdaction=restart
Routed Connections:
con10{65823}: ROUTED, TUNNEL, reqid 19940
con10{65823}: 172.27.0.0/16|/0 208.123.73.64/27|/0 === 172.21.25.0/24|/0
Security Associations (18 up, 0 connecting):
con10217: ESTABLISHED 10 minutes ago, 208.123.73.7[208.123.73.7]...184.74.25.90[chrism.pfsense.io]
con10217: IKEv2 SPIs: 69a22090953dfaa7_i 8665af5c1dce9914_r*, public key reauthentication in 7 hours
con10217: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
con10{65399}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: ca989f44_i cd95245a_o
con10{65399}: AES_GCM_16_256, 84 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 33 minutes
con10{65399}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65401}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: cf1f6963_i c577c0f8_o
con10{65401}: AES_GCM_16_256/MODP_2048, 84 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 38 minutes
con10{65401}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65403}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c15ad3e3_i cd56b7f7_o
con10{65403}: AES_GCM_16_256/MODP_2048, 84 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 33 minutes
con10{65403}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65404}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: cc1f79a0_i c323432e_o
con10{65404}: AES_GCM_16_256/MODP_2048, 144 bytes_i (2 pkts, 449s ago), 0 bytes_o, rekeying in 32 minutes
con10{65404}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65405}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: ce9d58a6_i c3bdc2a7_o
con10{65405}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 32 minutes
con10{65405}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65406}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c9870f23_i c6156414_o
con10{65406}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 39 minutes
con10{65406}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65407}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c3951a03_i caab7f89_o
con10{65407}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 34 minutes
con10{65407}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65408}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: cedc8a02_i cc7c0b4f_o
con10{65408}: AES_GCM_16_256/MODP_2048, 0 bytes_i (0 pkts, 449s ago), 0 bytes_o, rekeying in 32 minutes
con10{65408}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65410}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c8f6fe43_i cd0f65a1_o
con10{65410}: AES_GCM_16_256/MODP_2048, 0 bytes_i (0 pkts, 449s ago), 0 bytes_o, rekeying in 33 minutes
con10{65410}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65411}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: cc926418_i c623eca0_o
con10{65411}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 35 minutes
con10{65411}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65412}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c4915fa9_i cb63346a_o
con10{65412}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 33 minutes
con10{65412}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65413}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: cea702ed_i c6543b0f_o
con10{65413}: AES_GCM_16_256/MODP_2048, 0 bytes_i (0 pkts, 449s ago), 0 bytes_o, rekeying in 38 minutes
con10{65413}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65414}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: ce32804d_i c7ec7376_o
con10{65414}: AES_GCM_16_256/MODP_2048, 0 bytes_i (0 pkts, 449s ago), 0 bytes_o, rekeying in 34 minutes
con10{65414}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65416}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c83f3206_i cbc80e4f_o
con10{65416}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 32 minutes
con10{65416}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65417}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c36a8c85_i cc0c3be1_o
con10{65417}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 36 minutes
con10{65417}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65418}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: cf1fa503_i cd767b1e_o
con10{65418}: AES_GCM_16_256/MODP_2048, 0 bytes_i (0 pkts, 449s ago), 0 bytes_o, rekeying in 37 minutes
con10{65418}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65420}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: cffae82b_i c0ca01a5_o
con10{65420}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 33 minutes
con10{65420}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65455}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: ce5eb1b8_i c1325186_o
con10{65455}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 35 minutes
con10{65455}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65456}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: ce774bae_i c9da96c0_o
con10{65456}: AES_GCM_16_256/MODP_2048, 0 bytes_i (0 pkts, 449s ago), 0 bytes_o, rekeying in 37 minutes
con10{65456}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65458}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: cd700f47_i c5b9c086_o
con10{65458}: AES_GCM_16_256/MODP_2048, 0 bytes_i (0 pkts, 449s ago), 0 bytes_o, rekeying in 33 minutes
con10{65458}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65459}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c9af7b99_i cb509243_o
con10{65459}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 37 minutes
con10{65459}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65460}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c0dce75a_i c5d08d6e_o
con10{65460}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 33 minutes
con10{65460}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65461}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: cdb7e303_i cb8b5302_o
con10{65461}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 33 minutes
con10{65461}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65501}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: cec782ff_i c65a7d83_o
con10{65501}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 36 minutes
con10{65501}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65502}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c93fd177_i ca0a1822_o
con10{65502}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 35 minutes
con10{65502}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65578}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c23b642b_i c715947a_o
con10{65578}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 34 minutes
con10{65578}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65579}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c5c06f2b_i cf73ecf1_o
con10{65579}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 35 minutes
con10{65579}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65580}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c59a7313_i c2665d55_o
con10{65580}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 34 minutes
con10{65580}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65581}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c50b2140_i cd5af4dd_o
con10{65581}: AES_GCM_16_256/MODP_2048, 0 bytes_i (0 pkts, 449s ago), 0 bytes_o, rekeying in 41 minutes
con10{65581}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65582}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c324f1a2_i c9069ffa_o
con10{65582}: AES_GCM_16_256/MODP_2048, 0 bytes_i (0 pkts, 449s ago), 0 bytes_o, rekeying in 35 minutes
con10{65582}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65583}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c4fffb89_i cb13dfab_o
con10{65583}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 36 minutes
con10{65583}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65584}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: ccf8cf13_i cb1d2b70_o
con10{65584}: AES_GCM_16_256/MODP_2048, 60 bytes_i (1 pkt, 449s ago), 0 bytes_o, rekeying in 37 minutes
con10{65584}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0
con10{65585}: INSTALLED, TUNNEL, reqid 19940, ESP SPIs: c67812df_i cb5405ba_o
con10{65585}: AES_GCM_16_256/MODP_2048, 360 bytes_i (6 pkts, 449s ago), 0 bytes_o, rekeying in 38 minutes
con10{65585}: 172.27.0.0/16|/0 === 172.21.25.0/24|/0

History

#1 Updated by James Dekker about 1 year ago

Mar 10 16:13:40    check_reload_status        Reloading filter
Mar 10 16:13:40    php-fpm        /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Mar 10 16:13:24    check_reload_status        Restarting ipsec tunnels
Mar 10 16:13:07    check_reload_status        Reloading filter
Mar 10 16:13:07    php-fpm        /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Mar 10 16:12:51    check_reload_status        Restarting ipsec tunnels
Mar 10 16:12:34    check_reload_status        Reloading filter
Mar 10 16:12:34    php-fpm        /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Mar 10 16:12:18    check_reload_status        Restarting ipsec tunnels
Mar 10 16:12:18    check_reload_status        Restarting ipsec tunnels
Mar 10 16:12:02    check_reload_status        Reloading filter

Possibly related, taken from the Austin end of the IPsec tunnel.

#2 Updated by Jim Pingle about 1 year ago

  • Subject changed from Ipsec child SA's to Multiple IPsec child SA entries
  • Target version set to 2.4.3

#3 Updated by Jim Pingle about 1 year ago

James Dekker wrote:

Mar 10 16:12:02    check_reload_status        Reloading filter
Mar 10 16:12:18    check_reload_status        Restarting ipsec tunnels
Mar 10 16:12:18    check_reload_status        Restarting ipsec tunnels
Mar 10 16:12:34    php-fpm        /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Mar 10 16:12:34    check_reload_status        Reloading filter
Mar 10 16:12:51    check_reload_status        Restarting ipsec tunnels
Mar 10 16:13:07    php-fpm        /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Mar 10 16:13:07    check_reload_status        Reloading filter
Mar 10 16:13:24    check_reload_status        Restarting ipsec tunnels
Mar 10 16:13:40    php-fpm        /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Mar 10 16:13:40    check_reload_status        Reloading filter

(I un-reversed those log entries)

Those look like #7143, given the timing.

#4 Updated by Jim Pingle about 1 year ago

  • Status changed from New to Closed
  • Target version deleted (2.4.3)

This appears to have been triggered by a DNS issue, so if there is any problem it is likely the same as #7413.

Also available in: Atom PDF