Duplicate SAD entries lead to ESP tunnel malfunction
Oleg Tarasov
subscriber at osk.com.ua
Thu Jan 26 08:10:23 PST 2006
Hello,
I run FreeBSD 6.0 and installed latest ported version of ipsec-tools.
A had to create two IPSEC tunnels to two different hosts. On one host
runs FreeBSD too, on another host is located hardware router DI-804HV
(D-Link). That router is supposed to support IPSEC tunnelling and
seems to work fine.
When IPSEC tunnel is established two SAD entries are created - one per
direction. This is normal functioning.
In my case sometimes there are two more created. Some connection
problem occurs causing both sides to reestablish tunnel. Both sides
report that tunnel is established successfully but no packets can pass
through tunnel. Dumping SAD entries using
setkey -D
shows that there are two SAD entries for both address pairs.
How can this happen anyway?
Flushing SAD entries helps tunnel to return its functionality - after
this tunnel is established successfully and works properly.
=======================================================================
central# setkey -D
172.21.0.222 172.21.0.224
esp mode=tunnel spi=230854012(0x0dc28d7c) reqid=0(0x00000000)
E: 3des-cbc dabdc3b8 ea8f9519 c755b2da 57d348f5 a319f839 555e5759
A: hmac-md5 8139183d b8c06aea 65ac6a72 4c93f714
seq=0x00003c46 replay=4 flags=0x00000000 state=mature
created: Jan 26 17:58:29 2006 current: Jan 26 18:58:41 2006
diff: 3612(s) hard: 28800(s) soft: 23040(s)
last: Jan 26 18:58:35 2006 hard: 0(s) soft: 0(s)
current: 2689960(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 15430 hard: 0 soft: 0
sadb_seq=5 pid=5501 refcnt=2
172.21.0.224 172.21.0.222
esp mode=tunnel spi=192143459(0x0b73e063) reqid=0(0x00000000)
E: 3des-cbc 5b75d9dc b2cba7c5 be08b863 e11e3c79 b993f636 d76b4437
A: hmac-md5 69759773 cfeb1fe1 e0dac25f 5360851e
seq=0x000030fd replay=4 flags=0x00000000 state=mature
created: Jan 26 17:58:29 2006 current: Jan 26 18:58:41 2006
diff: 3612(s) hard: 28800(s) soft: 23040(s)
last: Jan 26 18:58:35 2006 hard: 0(s) soft: 0(s)
current: 1781854(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 12541 hard: 0 soft: 0
sadb_seq=4 pid=5501 refcnt=1
172.21.0.222 172.21.0.225
esp mode=tunnel spi=1241514000(0x4a000010) reqid=0(0x00000000)
E: 3des-cbc 71061694 cf98e926 fed56e44 ca6437fd d681a362 36342bd0
A: hmac-md5 8c62152f 272b19d5 dcda82db 4772d15c
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jan 26 18:49:30 2006 current: Jan 26 18:58:41 2006
diff: 551(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=5501 refcnt=1
172.21.0.222 172.21.0.225
esp mode=tunnel spi=1207959568(0x48000010) reqid=0(0x00000000)
E: 3des-cbc 17aab273 2df4dca8 7871aa0c b3342a68 35221d02 bbbabbf6
A: hmac-md5 4f708fc1 1762371d 95e55918 1a167a31
seq=0x000000a7 replay=4 flags=0x00000000 state=mature
created: Jan 26 17:58:03 2006 current: Jan 26 18:58:41 2006
diff: 3638(s) hard: 28800(s) soft: 23040(s)
last: Jan 26 18:58:30 2006 hard: 0(s) soft: 0(s)
current: 18656(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 167 hard: 0 soft: 0
sadb_seq=2 pid=5501 refcnt=2
172.21.0.225 172.21.0.222
esp mode=tunnel spi=220625554(0x0d267a92) reqid=0(0x00000000)
E: 3des-cbc a446d441 856a0ed3 0f8d8ad8 065a6b27 da756609 98fa670e
A: hmac-md5 7f14777f e5131500 8c345030 d90900d2
seq=0x00000003 replay=4 flags=0x00000000 state=mature
created: Jan 26 18:49:30 2006 current: Jan 26 18:58:41 2006
diff: 551(s) hard: 28800(s) soft: 23040(s)
last: Jan 26 18:49:56 2006 hard: 0(s) soft: 0(s)
current: 144(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=1 pid=5501 refcnt=1
172.21.0.225 172.21.0.222
esp mode=tunnel spi=90138890(0x055f690a) reqid=0(0x00000000)
E: 3des-cbc 4f77a3d4 7d2e446c a0e54ee5 ed482e15 e6e4b75b d723803c
A: hmac-md5 ebc9281a 780016ce 295ad45a 9d969b46
seq=0x0000009e replay=4 flags=0x00000000 state=mature
created: Jan 26 17:58:03 2006 current: Jan 26 18:58:41 2006
diff: 3638(s) hard: 28800(s) soft: 23040(s)
last: Jan 26 18:00:44 2006 hard: 0(s) soft: 0(s)
current: 9480(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 158 hard: 0 soft: 0
sadb_seq=0 pid=5501 refcnt=1
=======================================================================
central# setkey -D -P
192.168.0.0/24[any] 192.168.82.0/24[any] any
in ipsec
esp/tunnel/172.21.0.224-172.21.0.222/require
created: Jan 26 15:20:00 2006 lastused: Jan 26 18:59:06 2006
lifetime: 0(s) validtime: 0(s)
spid=16390 seq=3 pid=5513
refcnt=1
192.168.1.0/24[any] 192.168.82.0/24[any] any
in ipsec
esp/tunnel/172.21.0.225-172.21.0.222/require
created: Jan 26 15:20:00 2006 lastused: Jan 26 18:49:56 2006
lifetime: 0(s) validtime: 0(s)
spid=16392 seq=2 pid=5513
refcnt=1
192.168.82.0/24[any] 192.168.0.0/24[any] any
out ipsec
esp/tunnel/172.21.0.222-172.21.0.224/require
created: Jan 26 15:20:00 2006 lastused: Jan 26 18:59:06 2006
lifetime: 0(s) validtime: 0(s)
spid=16389 seq=1 pid=5513
refcnt=1
192.168.82.0/24[any] 192.168.1.0/24[any] any
out ipsec
esp/tunnel/172.21.0.222-172.21.0.225/require
created: Jan 26 15:20:00 2006 lastused: Jan 26 18:58:30 2006
lifetime: 0(s) validtime: 0(s)
spid=16391 seq=0 pid=5513
refcnt=1
=======================================================================
/var/log/racoon.log
Jan 26 17:41:39 central racoon: INFO: IPsec-SA established: ESP/Tunnel 172.21.0.225[0]->172.21.0.222[0] spi=120109393(0x
728b951)
Jan 26 17:41:39 central racoon: INFO: IPsec-SA established: ESP/Tunnel 172.21.0.222[0]->172.21.0.225[0] spi=1157627920(0
x45000010)
Jan 26 17:55:59 central racoon: INFO: purged IPsec-SA proto_id=ESP spi=1157627920.
Jan 26 17:55:59 central racoon: INFO: purging ISAKMP-SA spi=d1637c3987692522:b339bd2ace610860.
Jan 26 17:55:59 central racoon: INFO: keeping IPsec-SA spi=1090519056 - found valid ISAKMP-SA spi=f6907895966fed7d:f17fc
ca46153f83f.
Jan 26 17:55:59 central racoon: INFO: Unknown IPsec-SA spi=120109393, hmmmm?
Jan 26 17:55:59 central racoon: INFO: purged IPsec-SA spi=120109393.
Jan 26 17:55:59 central racoon: INFO: keeping IPsec-SA spi=85976071 - found valid ISAKMP-SA spi=f6907895966fed7d:f17fcca
46153f83f.
Jan 26 17:55:59 central racoon: INFO: purged ISAKMP-SA spi=d1637c3987692522:b339bd2ace610860.
Jan 26 17:56:00 central racoon: INFO: respond new phase 1 negotiation: 172.21.0.222[500]<=>172.21.0.225[500]
Jan 26 17:56:00 central racoon: INFO: begin Identity Protection mode.
Jan 26 17:56:00 central racoon: WARNING: SPI size isn't zero, but IKE proposal.
Jan 26 17:56:00 central racoon: INFO: ISAKMP-SA deleted 172.21.0.222[500]-172.21.0.225[500] spi:d1637c3987692522:b339bd2
ace610860
Jan 26 17:56:00 central racoon: INFO: ISAKMP-SA established 172.21.0.222[500]-172.21.0.225[500] spi:34637a9c843982ca:b55
cb815ad6bd124
Jan 26 17:56:00 central racoon: INFO: respond new phase 2 negotiation: 172.21.0.222[0]<=>172.21.0.225[0]
Jan 26 17:56:01 central racoon: INFO: IPsec-SA established: ESP/Tunnel 172.21.0.225[0]->172.21.0.222[0] spi=76313686(0x4
8c7456)
Jan 26 17:56:01 central racoon: INFO: IPsec-SA established: ESP/Tunnel 172.21.0.222[0]->172.21.0.225[0] spi=1191182352(0
x47000010)
Jan 26 17:58:03 central racoon: INFO: respond new phase 2 negotiation: 172.21.0.222[0]<=>172.21.0.225[0]
Jan 26 17:58:03 central racoon: INFO: IPsec-SA established: ESP/Tunnel 172.21.0.225[0]->172.21.0.222[0] spi=90138890(0x5
5f690a)
Jan 26 17:58:03 central racoon: INFO: IPsec-SA established: ESP/Tunnel 172.21.0.222[0]->172.21.0.225[0] spi=1207959568(0
x48000010)
Jan 26 17:58:29 central racoon: INFO: respond new phase 2 negotiation: 172.21.0.222[0]<=>172.21.0.224[0]
Jan 26 17:58:29 central racoon: INFO: IPsec-SA established: ESP/Tunnel 172.21.0.224[0]->172.21.0.222[0] spi=192143459(0x
b73e063)
Jan 26 17:58:29 central racoon: INFO: IPsec-SA established: ESP/Tunnel 172.21.0.222[0]->172.21.0.224[0] spi=230854012(0x
dc28d7c)
Jan 26 18:49:30 central racoon: INFO: respond new phase 1 negotiation: 172.21.0.222[500]<=>172.21.0.225[500]
Jan 26 18:49:30 central racoon: INFO: begin Identity Protection mode.
Jan 26 18:49:30 central racoon: WARNING: SPI size isn't zero, but IKE proposal.
Jan 26 18:49:30 central racoon: INFO: ISAKMP-SA established 172.21.0.222[500]-172.21.0.225[500] spi:7a61b69ba520e1c9:a6b
d1e28db6d3794
Jan 26 18:49:30 central racoon: INFO: respond new phase 2 negotiation: 172.21.0.222[0]<=>172.21.0.225[0]
Jan 26 18:49:30 central racoon: INFO: IPsec-SA established: ESP/Tunnel 172.21.0.225[0]->172.21.0.222[0] spi=220625554(0x
d267a92)
Jan 26 18:49:30 central racoon: INFO: IPsec-SA established: ESP/Tunnel 172.21.0.222[0]->172.21.0.225[0] spi=1241514000(0
x4a000010)
=======================================================================
/usr/local/etc/racoon/racoon.conf
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/cert" ;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp 172.21.0.222 [500];
}
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote 172.21.0.224
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address 172.21.0.222;
peers_identifier address 172.21.0.224;
nonce_size 16;
lifetime time 86400 sec; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 1 ;
}
}
remote 172.21.0.225
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address 172.21.0.222;
peers_identifier address 172.21.0.225;
nonce_size 16;
lifetime time 86400 sec; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 1 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 28800 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
==============================================================
/etc/ipsec.conf
flush;
spdflush;
spdadd 192.168.82.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/172.21.0.222-172.21.0.224/require;
spdadd 192.168.0.0/24 192.168.82.0/24 any -P in ipsec esp/tunnel/172.21.0.224-172.21.0.222/require;
spdadd 192.168.82.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/172.21.0.222-172.21.0.225/require;
spdadd 192.168.1.0/24 192.168.82.0/24 any -P in ipsec esp/tunnel/172.21.0.225-172.21.0.222/require;
==============================================================
--
Best regards,
Oleg Tarasov mailto:subscriber at osk.com.ua
More information about the freebsd-net
mailing list