This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"route already in use" after failover of HQ WAN Connection

Hello,

I built a test environment similar to the one in  KB118975

Problem: VPN is established via Headquarter (HQ) WAN1 and Branch WAN.
When WAN1 in the HQ goes down (ifdown eth1 at the "Internet" Router) the HQ initiates a new VPN Connection via WAN2, ISAKMP SA gets established but the branch router can not route because the route is still in use of the former VPN Connection to WAN1. The Branch Router does not know that HQ WAN1 is down.
After some time (about 90 seconds) the branch declares HQ WAN1 dead, deletes the old tunnel and the new connection gets established.
When WAN1 comes back online is' oK, the tunnel switches over because HQ terminates the failover tunnel and opens a new tunnel via WAN1.

Question: Is this normal or how do I tell the Branch router that the "old" tunnel is dead.

Thank You
Uwe

Testenvironment:
The whole thing is build with 5 VMs in Win10 Hyper-V using 5 virtual switches of type "private network"
My "Internet" is a Centos7 VM with 3 Nics, forwarding enabled.
HQ has Uplink Balancing with 172.21.0.1 as first, and 172.22.0.1 as second. 
HQ has Uplink Monitoring  with the 2 NICs of the Internet Router as Hosts defined (172.21.0.1 and 172.22.0.1). Without this uplink Monitoring the tunnel got always established via the 2nd Interface in the Uplink Balancing group.
HQ VPN uses "Uplink Interfaces" as local Interface, Mode: initiate
Branch Remote Gateway is in Mode "respond only" without a remote address, just PSK Auth..

Schema of testenvironment
Branch Office     | Branch Office    | Internet       | Head Quarter       | Head Quarter
Network           | UTM, 1x ISP      | simulating     | UTM (2x ISP)       | Network
192.168.40.0/24  -|- 192.168.40.1    | Router         |      192.168.30.1 -|- 192.168.30.0/24
                  |                  |                |                    |
                  |      172.23.0.2 -|- 172.23.0.1    |                    |
Host (Linux)      |                  |    172.21.0.1 -|- 172.21.0.2        | host (Windows)
192.168.40.2      |                  |    172.22.0.1 -|- 172.22.0.2        | 192.168.30.2

ipsec.log at Branch side:

2018:08:08-11:17:46 fwhamburg pluto[4912]: packet from 172.21.0.2:500: received Vendor ID payload [strongSwan]
2018:08:08-11:17:46 fwhamburg pluto[4912]: packet from 172.21.0.2:500: ignoring Vendor ID payload [Cisco-Unity]
2018:08:08-11:17:46 fwhamburg pluto[4912]: packet from 172.21.0.2:500: received Vendor ID payload [XAUTH]
2018:08:08-11:17:46 fwhamburg pluto[4912]: packet from 172.21.0.2:500: received Vendor ID payload [Dead Peer Detection]
2018:08:08-11:17:46 fwhamburg pluto[4912]: packet from 172.21.0.2:500: received Vendor ID payload [RFC 3947]
2018:08:08-11:17:46 fwhamburg pluto[4912]: packet from 172.21.0.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2018:08:08-11:17:46 fwhamburg pluto[4912]: packet from 172.21.0.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2018:08:08-11:17:46 fwhamburg pluto[4912]: packet from 172.21.0.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2018:08:08-11:17:46 fwhamburg pluto[4912]: packet from 172.21.0.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2018:08:08-11:17:46 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[4] 172.21.0.2 #8: responding to Main Mode from unknown peer 172.21.0.2
2018:08:08-11:17:46 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[4] 172.21.0.2 #8: NAT-Traversal: Result using RFC 3947: no NAT detected
2018:08:08-11:17:46 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[4] 172.21.0.2 #8: Peer ID is ID_IPV4_ADDR: '172.21.0.2'
2018:08:08-11:17:46 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[4] 172.21.0.2 #8: Dead Peer Detection (RFC 3706) enabled
2018:08:08-11:17:46 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[4] 172.21.0.2 #8: sent MR3, ISAKMP SA established
2018:08:08-11:17:46 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[4] 172.21.0.2 #9: responding to Quick Mode
2018:08:08-11:17:47 fwhamburg pluto[4912]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="REF_IpsSitHqipsec" address="172.23.0.2" local_net="192.168.40.0/24" remote_net="192.168.30.0/24"
2018:08:08-11:17:47 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[4] 172.21.0.2 #9: IPsec SA established {ESP=>0x9e6ec9c6 <0x54d7d09e DPD}

Now ifdown 172.21.0.1 at "Internet" Router => new incoming connection from HQ
2018:08:08-11:20:46 fwhamburg pluto[4912]: packet from 172.22.0.2:500: received Vendor ID payload [strongSwan]
2018:08:08-11:20:46 fwhamburg pluto[4912]: packet from 172.22.0.2:500: ignoring Vendor ID payload [Cisco-Unity]
2018:08:08-11:20:46 fwhamburg pluto[4912]: packet from 172.22.0.2:500: received Vendor ID payload [XAUTH]
2018:08:08-11:20:46 fwhamburg pluto[4912]: packet from 172.22.0.2:500: received Vendor ID payload [Dead Peer Detection]
2018:08:08-11:20:46 fwhamburg pluto[4912]: packet from 172.22.0.2:500: received Vendor ID payload [RFC 3947]
2018:08:08-11:20:46 fwhamburg pluto[4912]: packet from 172.22.0.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2018:08:08-11:20:46 fwhamburg pluto[4912]: packet from 172.22.0.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2018:08:08-11:20:46 fwhamburg pluto[4912]: packet from 172.22.0.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2018:08:08-11:20:46 fwhamburg pluto[4912]: packet from 172.22.0.2:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2018:08:08-11:20:46 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #10: responding to Main Mode from unknown peer 172.22.0.2
2018:08:08-11:20:46 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #10: NAT-Traversal: Result using RFC 3947: no NAT detected
2018:08:08-11:20:46 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #10: Peer ID is ID_IPV4_ADDR: '172.22.0.2'
2018:08:08-11:20:46 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #10: Dead Peer Detection (RFC 3706) enabled
2018:08:08-11:20:46 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #10: sent MR3, ISAKMP SA established
2018:08:08-11:20:46 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #11: responding to Quick Mode
2018:08:08-11:20:46 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #11: cannot route -- route already in use for "S_REF_IpsSitHqipsec_0"
2018:08:08-11:20:56 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #11: cannot route -- route already in use for "S_REF_IpsSitHqipsec_0"
2018:08:08-11:21:16 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #11: cannot route -- route already in use for "S_REF_IpsSitHqipsec_0"
2018:08:08-11:21:56 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #11: max number of retransmissions (2) reached STATE_QUICK_R1
2018:08:08-11:22:06 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #12: responding to Quick Mode
2018:08:08-11:22:06 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #12: cannot route -- route already in use for "S_REF_IpsSitHqipsec_0"
2018:08:08-11:22:16 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #10: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x00c75c91) not found (maybe expired)
2018:08:08-11:22:16 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #12: cannot route -- route already in use for "S_REF_IpsSitHqipsec_0"
2018:08:08-11:22:36 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #12: cannot route -- route already in use for "S_REF_IpsSitHqipsec_0"
2018:08:08-11:22:41 fwhamburg pluto[4912]: ERROR: asynchronous network error report on eth0 for message to 172.21.0.2 port 500, complainant 172.23.0.1: Network is unreachable [errno 101, origin ICMP type 3 code 0 (not authenticated)]

After some time the "old" Connection gets cleared and the route gets established
2018:08:08-11:23:11 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[4] 172.21.0.2 #8: DPD: No response from peer - declaring peer dead
2018:08:08-11:23:11 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[4] 172.21.0.2 #8: DPD: Terminating all SAs using this connection
2018:08:08-11:23:11 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[4] 172.21.0.2 #8: deleting connection "S_REF_IpsSitHqipsec_0"[4] instance with peer 172.21.0.2 {isakmp=#8/ipsec=#9}
2018:08:08-11:23:11 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0" #9: deleting state (STATE_QUICK_R2)
2018:08:08-11:23:11 fwhamburg pluto[4912]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="REF_IpsSitHqipsec" address="172.23.0.2" local_net="192.168.40.0/24" remote_net="192.168.30.0/24"
2018:08:08-11:23:11 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0" #8: deleting state (STATE_MAIN_R3)
2018:08:08-11:23:11 fwhamburg pluto[4912]: ERROR: asynchronous network error report on eth0 for message to 172.21.0.2 port 500, complainant 172.23.0.1: Network is unreachable [errno 101, origin ICMP type 3 code 0 (not authenticated)]
2018:08:08-11:23:16 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #12: max number of retransmissions (2) reached STATE_QUICK_R1
2018:08:08-11:23:26 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #13: responding to Quick Mode
2018:08:08-11:23:26 fwhamburg pluto[4912]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="REF_IpsSitHqipsec" address="172.23.0.2" local_net="192.168.40.0/24" remote_net="192.168.30.0/24"
2018:08:08-11:23:26 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #13: IPsec SA established {ESP=>0x4d602f8a <0x653c5a0e DPD}
2018:08:08-11:23:36 fwhamburg pluto[4912]: "S_REF_IpsSitHqipsec_0"[5] 172.22.0.2 #10: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x2b7c003c) not found (maybe expired)



This thread was automatically locked due to age.
Parents Reply
  • The technique is identical, Uwe, just that there's not a second connection at the second site.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data