IKEv2 tunnel crash when sec(4) pushed with large data

Sun, 13 Aug 2023 20:23:01 -0700 

Hi,

Testing sec(4) between 2 end points with iperf3, iked has lost the associated 
iface for the sec(4) point to point link. Specifically:

pfkey_sa: unsupported interface

Here is the surround log for the event:

Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: recv 
CREATE_CHILD_SA req 3 peer 4.4.4.2:64893 local 4.4.4.1:4500, 305 bytes, policy 
'policy1'
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: send 
CREATE_CHILD_SA res 3 peer 4.4.4.2:64893 local 4.4.4.1:4500, 177 bytes, NAT-T
Aug 14 11:30:54 terminator iked[93171]: pfkey_sa: unsupported interface
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: 
ikev2_log_proposal: ESP #1 ENCR=AES_GCM_16-128
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: 
ikev2_log_proposal: ESP #1 ENCR=AES_GCM_16-256
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: 
ikev2_log_proposal: ESP #1 ESN=ESN
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: 
ikev2_log_proposal: ESP #1 ESN=NONE
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: 
ikev2_log_proposal: ESP #2 ENCR=AES_CBC-256
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: 
ikev2_log_proposal: ESP #2 ENCR=AES_CBC-192
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: 
ikev2_log_proposal: ESP #2 ENCR=AES_CBC-128
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: 
ikev2_log_proposal: ESP #2 INTEGR=HMAC_SHA2_256_128
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: 
ikev2_log_proposal: ESP #2 INTEGR=HMAC_SHA2_384_192
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: 
ikev2_log_proposal: ESP #2 INTEGR=HMAC_SHA2_512_256
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: 
ikev2_log_proposal: ESP #2 INTEGR=HMAC_SHA1_96
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: 
ikev2_log_proposal: ESP #2 ESN=ESN
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: 
ikev2_log_proposal: ESP #2 ESN=NONE
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: 
ikev2_add_error: NO_PROPOSAL_CHOSEN
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: send 
CREATE_CHILD_SA res 3 peer 4.4.4.2:64893 local 4.4.4.1:4500, 65 bytes, NAT-T
Aug 14 11:30:54 terminator iked[93171]: spi=0x635987a83a22a13e: deleted 1 SPI: 
0x37249f77
Aug 14 11:33:04 terminator iked[93171]: spi=0xffb183f53eae6546: recv 
IKE_SA_INIT req 0 peer 4.4.4.2:60926 local 4.4.4.1:500, 518 bytes, policy 
'policy2'
Aug 14 11:33:04 terminator iked[93171]: spi=0xffb183f53eae6546: send 
IKE_SA_INIT res 0 peer 4.4.4.2:60926 local 4.4.4.1:500, 235 bytes
Aug 14 11:33:04 terminator iked[93171]: spi=0xffb183f53eae6546: recv IKE_AUTH 
req 1 peer 4.4.4.2:64893 local 4.4.4.1:4500, 475 bytes, policy 'policy2'
Aug 14 11:33:04 terminator iked[93171]: spi=0xffb183f53eae6546: send IKE_AUTH 
res 1 peer 4.4.4.2:64893 local 4.4.4.1:4500, 341 bytes, NAT-T
Aug 14 11:33:04 terminator iked[93171]: pfkey_sa: unsupported interface
Aug 14 11:35:43 terminator iked[93171]: spi=0xffb183f53eae6546: sa_free: reload
Aug 14 11:37:45 terminator iked[93171]: spi=0x635987a83a22a13e: retransmit 1 
INFORMATIONAL req 6 peer 4.4.4.2:64893 local 4.4.4.1:4500
Aug 14 11:37:49 terminator iked[93171]: spi=0x635987a83a22a13e: retransmit 2 
INFORMATIONAL req 6 peer 4.4.4.2:64893 local 4.4.4.1:4500
Aug 14 11:37:57 terminator iked[93171]: spi=0x635987a83a22a13e: retransmit 3 
INFORMATIONAL req 6 peer 4.4.4.2:64893 local 4.4.4.1:4500
Aug 14 11:38:13 terminator iked[93171]: spi=0x635987a83a22a13e: retransmit 4 
INFORMATIONAL req 6 peer 4.4.4.2:64893 local 4.4.4.1:4500
Aug 14 11:38:45 terminator iked[93171]: spi=0x635987a83a22a13e: retransmit 5 
INFORMATIONAL req 6 peer 4.4.4.2:64893 local 4.4.4.1:4500
Aug 14 11:39:04 terminator iked[93171]: spi=0x8e5dc9e7e8a397e0: recv 
IKE_SA_INIT req 0 peer 4.4.4.2:63301 local 4.4.4.1:500, 518 bytes, policy 
'policy6'
Aug 14 11:39:04 terminator iked[93171]: spi=0x8e5dc9e7e8a397e0: send 
IKE_SA_INIT res 0 peer 4.4.4.2:63301 local 4.4.4.1:500, 235 bytes
Aug 14 11:39:04 terminator iked[93171]: spi=0x8e5dc9e7e8a397e0: recv IKE_AUTH 
req 1 peer 4.4.4.2:64893 local 4.4.4.1:4500, 473 bytes, policy 'policy6'
Aug 14 11:39:04 terminator iked[93171]: spi=0x8e5dc9e7e8a397e0: send IKE_AUTH 
res 1 peer 4.4.4.2:64893 local 4.4.4.1:4500, 342 bytes, NAT-T
Aug 14 11:39:04 terminator iked[93171]: spi=0x8e5dc9e7e8a397e0: 
ikev2_childsa_enable: loaded SPIs: 0xbd533d62, 0xf7d5e5fd (enc aes-128-gcm esn)
Aug 14 11:39:04 terminator iked[93171]: spi=0x8e5dc9e7e8a397e0: established 
peer 4.4.4.2:64893[IPV4/10.56.0.0] local 4.4.4.1:4500[IPV4/4.4.4.1] policy 
'policy5' as responder (enc aes-128-gcm group curve25519 prf hmac-sha2-256)
Aug 14 11:39:49 terminator iked[93171]: spi=0x635987a83a22a13e: sa_free: 
retransmit limit reached

To fix the connection and bring it back online the following had to be 
performed (sec30 was the interface for context):

ifconfig sec30 destroy
ifconfig sec30 create 10.56.2.254/24 10.56.2.1 mtu 1438 up
ikectl reload

The tunnel from the active peer is eventually negotiated and the connection 
resumes.

/etc/iked.conf:

ikev2 passive from 4.4.4.1 to 10.56.0.0 peer any srcid 4.4.4.1 dstid 10.56.0.0 
iface sec30
ikev2 passive from 4.4.4.1 to 10.56.0.1 peer any srcid 4.4.4.1 dstid 10.56.0.1 
iface sec31

Happy to provide anything else that might be necessary.

Thanks, Jason.

Reply via email to