6.45beta34: router kills IKEv2 SAs immediately after establishing them

g22113 · April 19, 2019, 10:51am

Just reporting in. After upgrading from 6.45beta31 to 6.45beta34, my IKEv2 tunnels to strongSwan no longer stay up:

13:29:28 ipsec,info,account peer authorized: 192.168.1.37[4500]-212.71.255.217[4500] spi:10af2dc6e1e029fa:ba657fbd8e028608 
13:29:28 ipsec peer selected transport mode 
13:29:28 ipsec processing payload: TS_I 
13:29:28 ipsec 78.58.206.110 ip-proto:47 
13:29:28 ipsec processing payload: TS_R 
13:29:28 ipsec 212.71.255.217 ip-proto:47 
13:29:28 ipsec my vs peer's selectors: 
13:29:28 ipsec 192.168.1.37 ip-proto:47 vs 78.58.206.110 ip-proto:47 
13:29:28 ipsec 212.71.255.217 ip-proto:47 vs 212.71.255.217 ip-proto:47 
13:29:28 ipsec processing payload: SA 
13:29:28 ipsec IKE Protocol: ESP 
13:29:28 ipsec  proposal #1 
13:29:28 ipsec   enc: aes128-ctr 
13:29:28 ipsec   auth: sha1 
13:29:28 ipsec matched proposal: 
13:29:28 ipsec  proposal #1 
13:29:28 ipsec   enc: aes128-ctr 
13:29:28 ipsec   auth: sha1 
13:29:28 ipsec processing payload: NONCE (not found) 
13:29:28 ipsec,info killing ike2 SA: 192.168.1.37[4500]-212.71.255.217[4500] spi:10af2dc6e1e029fa:ba657fbd8e028608 
13:29:28 ipsec adding payload: DELETE

I have downgraded to beta31 and the logs don’t mention it looking for NONCE in this final step:

13:48:38 ipsec,info,account peer authorized: 192.168.1.37[4500]-212.71.255.217[4500] spi:c1db79741c080007:bff337db67c85b22 
13:48:38 ipsec peer selected transport mode 
13:48:38 ipsec processing payload: TS_I 
13:48:38 ipsec 78.58.206.110 ip-proto:47 
13:48:38 ipsec processing payload: TS_R 
13:48:38 ipsec 212.71.255.217 ip-proto:47 
13:48:38 ipsec my vs peer's selectors: 
13:48:38 ipsec 192.168.1.37 ip-proto:47 vs 78.58.206.110 ip-proto:47 
13:48:38 ipsec 212.71.255.217 ip-proto:47 vs 212.71.255.217 ip-proto:47 
13:48:38 ipsec processing payload: SA 
13:48:38 ipsec IKE Protocol: ESP 
13:48:38 ipsec  proposal #1 
13:48:38 ipsec   enc: aes128-ctr 
13:48:38 ipsec   auth: sha1 
13:48:38 ipsec matched proposal: 
13:48:38 ipsec  proposal #1 
13:48:38 ipsec   enc: aes128-ctr 
13:48:38 ipsec   auth: sha1 
13:48:38 ipsec,debug => child keymat (size 0x60) 
13:48:38 ipsec,debug a3fb2887 ...
13:48:38 ipsec IPsec-SA established: 212.71.255.217[4500]->192.168.1.37[4500] spi=0x5fae4ec 
13:48:38 ipsec IPsec-SA established: 192.168.1.37[4500]->212.71.255.217[4500] spi=0xcd2a60c3

Lilarcor · July 26, 2019, 4:18am

I got the same situation

Jotne · July 26, 2019, 4:39am

Why do you try an old 6.45beta? 6.45.2 is released as well as 6.46beta.

Lilarcor · August 9, 2019, 5:38am

Just reporting in. After upgrading from 6.45beta31 to 6.45beta34, my IKEv2 tunnels to strongSwan no longer stay up:

13:29:28 ipsec,info,account peer authorized: 192.168.1.37[4500]-212.71.255.217[4500] spi:10af2dc6e1e029fa:ba657fbd8e028608 
13:29:28 ipsec peer selected transport mode 
13:29:28 ipsec processing payload: TS_I 
13:29:28 ipsec 78.58.206.110 ip-proto:47 
13:29:28 ipsec processing payload: TS_R 
13:29:28 ipsec 212.71.255.217 ip-proto:47 
13:29:28 ipsec my vs peer's selectors: 
13:29:28 ipsec 192.168.1.37 ip-proto:47 vs 78.58.206.110 ip-proto:47 
13:29:28 ipsec 212.71.255.217 ip-proto:47 vs 212.71.255.217 ip-proto:47 
13:29:28 ipsec processing payload: SA 
13:29:28 ipsec IKE Protocol: ESP 
13:29:28 ipsec  proposal #1 
13:29:28 ipsec   enc: aes128-ctr 
13:29:28 ipsec   auth: sha1 
13:29:28 ipsec matched proposal: 
13:29:28 ipsec  proposal #1 
13:29:28 ipsec   enc: aes128-ctr 
13:29:28 ipsec   auth: sha1 
13:29:28 ipsec processing payload: NONCE (not found) 
13:29:28 ipsec,info killing ike2 SA: 192.168.1.37[4500]-212.71.255.217[4500] spi:10af2dc6e1e029fa:ba657fbd8e028608 
13:29:28 ipsec adding payload: DELETE

I have downgraded to beta31 and the logs don’t mention it looking for NONCE in this final step:

13:48:38 ipsec,info,account peer authorized: 192.168.1.37[4500]-212.71.255.217[4500] spi:c1db79741c080007:bff337db67c85b22 
13:48:38 ipsec peer selected transport mode 
13:48:38 ipsec processing payload: TS_I 
13:48:38 ipsec 78.58.206.110 ip-proto:47 
13:48:38 ipsec processing payload: TS_R 
13:48:38 ipsec 212.71.255.217 ip-proto:47 
13:48:38 ipsec my vs peer's selectors: 
13:48:38 ipsec 192.168.1.37 ip-proto:47 vs 78.58.206.110 ip-proto:47 
13:48:38 ipsec 212.71.255.217 ip-proto:47 vs 212.71.255.217 ip-proto:47 
13:48:38 ipsec processing payload: SA 
13:48:38 ipsec IKE Protocol: ESP 
13:48:38 ipsec  proposal #1 
13:48:38 ipsec   enc: aes128-ctr 
13:48:38 ipsec   auth: sha1 
13:48:38 ipsec matched proposal: 
13:48:38 ipsec  proposal #1 
13:48:38 ipsec   enc: aes128-ctr 
13:48:38 ipsec   auth: sha1 
13:48:38 ipsec,debug => child keymat (size 0x60) 
13:48:38 ipsec,debug a3fb2887 ...
13:48:38 ipsec IPsec-SA established: 212.71.255.217[4500]->192.168.1.37[4500] spi=0x5fae4ec 
13:48:38 ipsec IPsec-SA established: 192.168.1.37[4500]->212.71.255.217[4500] spi=0xcd2a60c3

Have you fixed it?