> Hello everyone, > > I'm running strongSwan 5.6.1 on linux-4.14.x (slackware 14.2 64bit) > with iproute 4.14.1
Hello everyone again, I have also git cloned the current iproute2, but same behavior. Linux version is 4.14.2 > When I issue 'ip -x s p', I get this output: > > src 10.180.0.0/16 dst 10.81.110.10/32 uid 0 > dir out action allow index 137 priority 375423 share any flag (0x00000000) > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-01-19 17:43:50 use 2018-01-19 17:47:25 > tmpl src 10.81.110.254 dst 10.81.110.10 > proto esp spi 0x500e0603(1343096323) reqid 4(0x00000004) mode tunnel > level required share any > enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff > src 10.81.110.10/32 dst 10.180.0.0/16 uid 0 > dir fwd action allow index 154 priority 375423 share any flag (0x00000000) > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-01-19 17:43:50 use - > tmpl src 10.81.110.10 dst 10.81.110.254 > proto esp spi 0x00000000(0) reqid 4(0x00000004) mode tunnel > level required share any > enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff > src 10.81.110.10/32 dst 10.180.0.0/16 uid 0 > dir in action allow index 144 priority 375423 share any flag (0x00000000) > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-01-19 17:43:50 use 2018-01-19 17:43:50 > tmpl src 10.81.110.10 dst 10.81.110.254 > proto esp spi 0x00000000(0) reqid 4(0x00000004) mode tunnel > level required share any > enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff > > As you may see, the esp security parameter index is correctly reported > for the first policy, but is 0x00000000 for the other two entries. > The output from strongSwan 'ipsec statusall' instead show them correctly: > > INSTALLED, TUNNEL, reqid 4, ESP SPIs: c16fd9e3_i 500e0603_o > 3DES_CBC/HMAC_MD5_96/MODP_1024, 11180 bytes_i (215 pkts, 245s ago), 596700 > bytes_o (459 pkts, 29s ago) > 10.180.0.0/16 === 10.81.110.10/32 > > Also the output from 'ip -s x s' is reporting correctly the esp spi value: > > src 10.81.110.254 dst 10.81.110.10 > proto esp spi 0x500e0603(1343096323) reqid 4(0x00000004) mode tunnel > replay-window 0 seq 0x00000000 flag af-unspec (0x00100000) > auth-trunc hmac(md5) 0x5b029bb432e892780c4d28a2c4f4253d (128 bits) 96 > enc cbc(des3_ede) 0x01cf85a8cc981a3abe5ae9173bd45abbeedfd8d80f176fe9 (192 > bits) > anti-replay context: seq 0x0, oseq 0x1cb, bitmap 0x00000000 > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 4147(sec), hard 4800(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 596700(bytes), 459(packets) > add 2018-01-19 17:43:50 use 2018-01-19 17:43:50 > stats: > replay-window 0 replay 0 failed 0 > src 10.81.110.10 dst 10.81.110.254 > proto esp spi 0xc16fd9e3(3245332963) reqid 4(0x00000004) mode tunnel > replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) > auth-trunc hmac(md5) 0x2354ae62bc484d3c3d9e13c9bae1fd66 (128 bits) 96 > enc cbc(des3_ede) 0x15fcba9ac7f78e9126b2394db6e7619ebe4bc27ace4d1603 (192 > bits) > anti-replay context: seq 0xda, oseq 0x0, bitmap 0xffffffff > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 3968(sec), hard 4800(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 11180(bytes), 215(packets) > add 2018-01-19 17:43:50 use 2018-01-19 17:43:50 > stats: > replay-window 0 replay 0 failed 0 > > Kindly, I would like to ask if this is the expected behaviour. > > Thanks in advance > > Marco Berizzi
