-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-10.1
-
None
-
No
-
None
-
rhel-security-crypto-spades
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
config setup
uniqueids=yes
conn %default
keyingtries=%forever
type=transport
auto=route
ike=aes_gcm256-sha2_256
esp=aes_gcm256
ikev2=insist
conn in-1
left=A.B.C.58
right=A.B.C.148
leftid=...
rightid=...
leftcert=...
leftrsasigkey=%cert
rightca=%same
leftprotoport=udp/6081
rightprotoport=udp
conn out-1
left=A.B.C.58
right=A.B.C.148
leftid=...
rightid=...
leftcert=...
leftrsasigkey=%cert
rightca=%same
leftprotoport=udp
rightprotoport=udp/6081
out-1 has IKE SA created but its Child SA is eventually switched to better matching in-1 connection. This leave out-1 with IKE SA but childless and it remains like that until salifetime ends.
This is tracked in https://github.com/libreswan/libreswan/issues/2520.
What is the impact of this issue to you?
Severe since the current version of openvswitch used in OCP is not recognizing orphaned IKE SA correctly (see https://github.com/openvswitch/ovs-issues/issues/374).
Please provide the package NVR for which the bug is seen:
libreswan-5.2
How reproducible is this bug?:
This is very hard to reproduce since it only happens when Child SA is switching while IKE SA exchanges are crossing.
Expected results
Once Child SA switches connection either its parent IKE SA should follow (not optimal) or it should be torn down and scheduled for revival.
Actual results
Left
Nov 04 14:32:39 pluto[7402]: "out-1": ikev2=yes has been replaced by keyexchange=ikev2
Nov 04 14:32:39 pluto[7402]: "out-1": loaded private key matching left certificate 'ovs_certkey_569d8072-27e3-4c76-ab32-b35b40381a5c'
Nov 04 14:32:39 pluto[7402]: "out-1": IKE SA proposals (connection add):
Nov 04 14:32:39 pluto[7402]: "out-1": 1:IKE=AES_GCM_16_256-HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+CURVE25519+MODP4096+MODP3072+MODP2048+MODP8192
Nov 04 14:32:39 pluto[7402]: "out-1": Child SA proposals (connection add):
Nov 04 14:32:39 pluto[7402]: "out-1": 1:ESP=AES_GCM_16_256-NONE-NONE-ESN:YES+NO
Nov 04 14:32:39 pluto[7402]: "out-1": added IKEv2 connection
Nov 04 14:32:39 pluto[7402]: "out-1" #766: initiating IKEv2 connection to A.B.C.148 using UDP
Nov 04 14:32:39 pluto[7402]: "out-1" #766: sent IKE_SA_INIT request to A.B.C.148:UDP/500
Nov 04 14:32:39 pluto[7402]: "in-1": ikev2=yes has been replaced by keyexchange=ikev2
Nov 04 14:32:39 pluto[7402]: "in-1": IKE SA proposals (connection add):
Nov 04 14:32:39 pluto[7402]: "in-1": 1:IKE=AES_GCM_16_256-HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+CURVE25519+MODP4096+MODP3072+MODP2048+MODP8192
Nov 04 14:32:39 pluto[7402]: "in-1": Child SA proposals (connection add):
Nov 04 14:32:39 pluto[7402]: "in-1": 1:ESP=AES_GCM_16_256-NONE-NONE-ESN:YES+NO
Nov 04 14:32:39 pluto[7402]: "in-1": added IKEv2 connection
Nov 04 14:32:39 pluto[7402]: "out-1" #766: IKE_SA_INIT_I: retransmission; will wait 0.5 seconds for response
Nov 04 14:32:40 pluto[7402]: "out-1" #766: IKE_SA_INIT_I: retransmission; will wait 1 seconds for response
Nov 04 14:32:41 pluto[7402]: "out-1" #766: IKE_SA_INIT_I: retransmission; will wait 2 seconds for response
Nov 04 14:32:43 pluto[7402]: "out-1" #766: IKE_SA_INIT_I: retransmission; will wait 4 seconds for response
Nov 04 14:32:47 pluto[7402]: "out-1" #766: IKE_SA_INIT_I: retransmission; will wait 8 seconds for response
Nov 04 14:32:55 pluto[7402]: "out-1" #766: IKE_SA_INIT_I: retransmission; will wait 16 seconds for response
Nov 04 14:32:55 pluto[7402]: "in-1": queue Child SA; waiting on IKE SA "out-1" #766 negotiating with A.B.C.148
Nov 04 14:33:11 pluto[7402]: "out-1" #766: IKE_SA_INIT_I: retransmission; will wait 32 seconds for response
Nov 04 14:33:43 pluto[7402]: "out-1" #766: IKE_SA_INIT_I: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our first IKEv2 message
Nov 04 14:33:43 pluto[7402]: "out-1" #766: connection is supposed to remain up; revival attempt 1 scheduled in 0 seconds
Nov 04 14:33:43 pluto[7402]: "out-1" #766: deleting IKE SA (sent IKE_SA_INIT request)
Nov 04 14:33:43 pluto[7402]: "in-1": connection is supposed to remain up; revival attempt 1 scheduled in 0 seconds
Nov 04 14:33:43 pluto[7402]: "out-1": reviving connection which timeout IKE SA but must remain up per local policy (serial $481)
Nov 04 14:33:43 pluto[7402]: "out-1" #949: initiating IKEv2 connection to A.B.C.148 using UDP
Nov 04 14:33:43 pluto[7402]: "in-1": reviving connection which re-schedule but must remain up per local policy (serial $482)
Nov 04 14:33:43 pluto[7402]: "in-1": queue Child SA; waiting on IKE SA "out-1" #949 negotiating with A.B.C.148
Nov 04 14:33:43 pluto[7402]: "out-1" #949: sent IKE_SA_INIT request to A.B.C.148:UDP/500
Nov 04 14:33:43 pluto[7402]: "out-1" #949: IKE_SA_INIT_I: retransmission; will wait 0.5 seconds for response
Nov 04 14:33:44 pluto[7402]: "out-1" #949: IKE_SA_INIT_I: retransmission; will wait 1 seconds for response
Nov 04 14:33:45 pluto[7402]: "out-1" #949: IKE_SA_INIT_I: retransmission; will wait 2 seconds for response
Nov 04 14:33:47 pluto[7402]: "out-1" #949: IKE_SA_INIT_I: retransmission; will wait 4 seconds for response
Nov 04 14:33:51 pluto[7402]: "out-1" #949: IKE_SA_INIT_I: retransmission; will wait 8 seconds for response
Nov 04 14:33:59 pluto[7402]: "out-1" #949: IKE_SA_INIT_I: retransmission; will wait 16 seconds for response
Nov 04 14:34:15 pluto[7402]: "out-1" #949: IKE_SA_INIT_I: retransmission; will wait 32 seconds for response
Nov 04 14:34:47 pluto[7402]: "out-1" #949: IKE_SA_INIT_I: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our first IKEv2 message
Nov 04 14:34:47 pluto[7402]: "out-1" #949: connection is supposed to remain up; revival attempt 2 scheduled in 5 seconds
Nov 04 14:34:47 pluto[7402]: "out-1" #949: deleting IKE SA (sent IKE_SA_INIT request)
Nov 04 14:34:47 pluto[7402]: "in-1": connection is supposed to remain up; revival attempt 2 scheduled in 5 seconds
Nov 04 14:34:52 pluto[7402]: "in-1": reviving connection which re-schedule but must remain up per local policy (serial $482)
Nov 04 14:34:52 pluto[7402]: "in-1" #1068: initiating IKEv2 connection to A.B.C.148 using UDP
Nov 04 14:34:52 pluto[7402]: "out-1": reviving connection which timeout IKE SA but must remain up per local policy (serial $481)
Nov 04 14:34:52 pluto[7402]: "out-1": queue Child SA; waiting on IKE SA "in-1" #1068 negotiating with A.B.C.148
Nov 04 14:34:52 pluto[7402]: "in-1" #1068: sent IKE_SA_INIT request to A.B.C.148:UDP/500
Nov 04 14:34:52 pluto[7402]: "in-1" #1068: IKE_SA_INIT_I: retransmission; will wait 0.5 seconds for response
Nov 04 14:34:53 pluto[7402]: "in-1" #1068: IKE_SA_INIT_I: retransmission; will wait 1 seconds for response
Nov 04 14:34:54 pluto[7402]: "in-1" #1068: IKE_SA_INIT_I: retransmission; will wait 2 seconds for response
Nov 04 14:34:56 pluto[7402]: "in-1" #1068: IKE_SA_INIT_I: retransmission; will wait 4 seconds for response
Nov 04 14:35:00 pluto[7402]: "in-1" #1068: IKE_SA_INIT_I: retransmission; will wait 8 seconds for response
Nov 04 14:35:08 pluto[7402]: "in-1" #1068: IKE_SA_INIT_I: retransmission; will wait 16 seconds for response
Nov 04 14:35:21 pluto[7402]: "out-1" #1111: processing IKE_SA_INIT request from A.B.C.148:UDP/500 containing SA,KE,Ni,N(IKEV2_FRAGMENTATION_SUPPORTED),N(SIGNATURE_HASH_ALGORITHMS),N(NAT_DETECTION_SOURCE_IP),N(NAT_DETECTION_DESTINATION_IP)
Nov 04 14:35:21 pluto[7402]: "out-1" #1111: proposal 1:IKE=AES_GCM_16_256-HMAC_SHA2_256-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_GCM_16_256;PRF=HMAC_SHA2_256;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519;DH=MODP4096;DH=MODP3072;DH=MODP2048;DH=MODP8192[first-match]
Nov 04 14:35:21 pluto[7402]: "out-1" #1111: sent IKE_SA_INIT response to A.B.C.148:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=DH19}
Nov 04 14:35:21 pluto[7402]: "out-1" #1111: received IKE_AUTH request fragment 1 (1 of 4), computing DH in the background
Nov 04 14:35:21 pluto[7402]: "out-1" #1111: processing decrypted IKE_AUTH request from A.B.C.148:UDP/500 containing SK{IDi,CERT,CERTREQ,IDr,AUTH,SA,TSi,TSr,N(USE_TRANSPORT_MODE)}
Nov 04 14:35:21 pluto[7402]: "out-1" #1111: responder established IKE SA; authenticated peer certificate '@83d4491d-8af0-41d6-b1c3-ce525f09537f' and 2048-bit RSASSA-PSS with SHA2_512 digital signature issued by 'CN=openshift-ovn-kubernetes_signer-ca@1762252690'
Nov 04 14:35:21 pluto[7402]: "out-1" #1112: switched to "in-1"
Nov 04 14:35:21 pluto[7402]: "in-1" #1112: proposal 1:ESP=AES_GCM_16_256-ESN:YES SPI=1817d179 chosen from remote proposals 1:ESP:ENCR=AES_GCM_16_256;ESN=YES;ESN=NO[first-match]
Nov 04 14:35:21 pluto[7402]: EXPECTATION FAILED: "in-1" #1112: Child SA with IKE SA #1111 do not share their connection, .negotiating_ike_sa #1068 should be unset, clearing (process_v2_child_request_payloads() +455 programs/pluto/ikev2_child.c) (set_established_outbound() +567 programs/pluto/routing.c)
Nov 04 14:35:21 pluto[7402]: "in-1" #1112: responder established Child SA using #1111; IPsec transport [A.B.C.58/32/UDP/6081===A.B.C.148/32/UDP] {ESP/ESN=>0x1817d179 <0x555d411e xfrm=AES_GCM_16_256-NONE DPD=passive}
Nov 04 14:35:24 pluto[7402]: "in-1" #1068: IKE_SA_INIT_I: retransmission; will wait 32 seconds for response
Nov 04 14:35:24 pluto[7402]: "in-1" #1068: state superseded by #1112, drop this negotiation
Nov 04 14:35:24 pluto[7402]: "in-1" #1068: encountered fatal error in state IKE_SA_INIT_I
Nov 04 14:35:24 pluto[7402]: "in-1" #1068: deleting IKE SA (sent IKE_SA_INIT request)
Nov 04 22:24:01 pluto[7402]: "out-1" #1892: proposal 1:IKE=AES_GCM_16_256-HMAC_SHA2_256-ECP_256 SPI=fc5b5b90a9f5a552 chosen from remote proposals 1:IKE:ENCR=AES_GCM_16_256;PRF=HMAC_SHA2_256;DH=ECP_256[first-match]
Nov 04 22:24:01 pluto[7402]: "out-1" #1892: responder rekeyed IKE SA #1111 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=DH19}
Nov 04 22:24:02 pluto[7402]: "out-1" #1111: deleting IKE SA (established IKE SA)
Nov 04 22:24:23 pluto[7402]: "in-1" #1903: proposal 1:ESP=AES_GCM_16_256-ECP_256-ESN:YES SPI=f83c0a4a chosen from remote proposals 1:ESP:ENCR=AES_GCM_16_256;DH=ECP_256;ESN=YES[first-match]
Nov 04 22:24:23 pluto[7402]: "in-1" #1903: responder rekeyed Child SA #1112 using #1892; IPsec transport [A.B.C.58/32/UDP/6081===A.B.C.148/32/UDP] {ESP/ESN=>0xf83c0a4a <0xa0d6122a xfrm=AES_GCM_16_256-NONE-DH19 DPD=passive}
Nov 04 22:24:24 pluto[7402]: "in-1" #1112: ESP traffic information: in=2KiB out=0B
Nov 05 06:08:28 pluto[7402]: "in-1" #2602: proposal 1:ESP=AES_GCM_16_256-ECP_256-ESN:YES SPI=2d2ad6b1 chosen from remote proposals 1:ESP:ENCR=AES_GCM_16_256;DH=ECP_256;ESN=YES[first-match]
Nov 05 06:08:28 pluto[7402]: "in-1" #2602: responder rekeyed Child SA #1903 using #1892; IPsec transport [A.B.C.58/32/UDP/6081===A.B.C.148/32/UDP] {ESP/ESN=>0x2d2ad6b1 <0x545639ff xfrm=AES_GCM_16_256-NONE-DH19 DPD=passive}
Nov 05 06:08:29 pluto[7402]: "in-1" #1903: ESP traffic information: in=3KiB out=0B
Nov 05 06:11:47 pluto[7402]: "out-1" #2669: proposal 1:IKE=AES_GCM_16_256-HMAC_SHA2_256-ECP_256 SPI=3173de7183dbb89d chosen from remote proposals 1:IKE:ENCR=AES_GCM_16_256;PRF=HMAC_SHA2_256;DH=ECP_256[first-match]
Nov 05 06:11:47 pluto[7402]: "out-1" #2669: responder rekeyed IKE SA #1892 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=DH19}
Nov 05 06:11:48 pluto[7402]: "out-1" #1892: deleting IKE SA (established IKE SA)
Right
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-in-1": ikev2=yes has been replaced by keyexchange=ikev2
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-in-1": IKE SA proposals (connection add):
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-in-1": 1:IKE=AES_GCM_16_256-HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+CURVE25519+MODP4096+MODP3072+MODP2048+MODP8192
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-in-1": Child SA proposals (connection add):
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-in-1": 1:ESP=AES_GCM_16_256-NONE-NONE-ESN:YES+NO
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-in-1": added IKEv2 connection
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1": ikev2=yes has been replaced by keyexchange=ikev2
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1": IKE SA proposals (connection add):
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1": 1:IKE=AES_GCM_16_256-HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+CURVE25519+MODP4096+MODP3072+MODP2048+MODP8192
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1": Child SA proposals (connection add):
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1": 1:ESP=AES_GCM_16_256-NONE-NONE-ESN:YES+NO
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1": added IKEv2 connection
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #576: initiating IKEv2 connection to A.B.C.58 using UDP
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #576: sent IKE_SA_INIT request to A.B.C.58:UDP/500
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #576: processed IKE_SA_INIT response from A.B.C.58:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=DH19}, initiating IKE_AUTH
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #576: sent IKE_AUTH request to A.B.C.58:UDP/500 with digital-signature and FQDN '@83d4491d-8af0-41d6-b1c3-ce525f09537f'; Child SA #577 {ESP <0x1817d179}
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #576: initiator established IKE SA; authenticated peer certificate '@569d8072-27e3-4c76-ab32-b35b40381a5c' and 2048-bit RSASSA-PSS with SHA2_512 digital signature issued by 'CN=openshift-ovn-kubernetes_signer-ca@1762252690'
Nov 04 14:35:21 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #577: initiator established Child SA using #576; IPsec transport [A.B.C.148/32/UDP===A.B.C.58/32/UDP/6081] {ESP/ESN=>0x555d411e <0x1817d179 xfrm=AES_GCM_16_256-NONE DPD=passive}
Nov 04 14:35:24 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #677: processing IKE_SA_INIT request from A.B.C.58:UDP/500 containing SA,KE,Ni,N(IKEV2_FRAGMENTATION_SUPPORTED),N(SIGNATURE_HASH_ALGORITHMS),N(NAT_DETECTION_SOURCE_IP),N(NAT_DETECTION_DESTINATION_IP)
Nov 04 14:35:24 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #677: proposal 1:IKE=AES_GCM_16_256-HMAC_SHA2_256-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_GCM_16_256;PRF=HMAC_SHA2_256;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519;DH=MODP4096;DH=MODP3072;DH=MODP2048;DH=MODP8192[first-match]
Nov 04 14:35:24 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #677: sent IKE_SA_INIT response to A.B.C.58:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=DH19}
Nov 04 14:38:44 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #677: deleting incomplete state after 200 seconds
Nov 04 14:38:44 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #677: deleting IKE SA (sent IKE_SA_INIT response, waiting for IKE_INTERMEDIATE or IKE_AUTH request)
Nov 04 22:24:01 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #1509: initiating rekey to replace IKE SA #576 using IKE SA #576
Nov 04 22:24:01 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #1509: sent CREATE_CHILD_SA request to rekey IKE SA #576 (using IKE SA #576)
Nov 04 22:24:01 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #1509: initiator rekeyed IKE SA #576 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=DH19}
Nov 04 22:24:02 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #576: deleting IKE SA (ESTABLISHED_IKE_SA) aged 28121.13599s and sending notification
Nov 04 22:24:23 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #1549: initiating rekey to replace Child SA #577 using IKE SA #1509
Nov 04 22:24:23 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #1549: sent CREATE_CHILD_SA request to rekey Child SA #577 using IKE SA #1509 {ESP <0xf83c0a4a}
Nov 04 22:24:23 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #1549: initiator rekeyed Child SA #577 using #1509; IPsec transport [A.B.C.148/32/UDP===A.B.C.58/32/UDP/6081] {ESP/ESN=>0xa0d6122a <0xf83c0a4a xfrm=AES_GCM_16_256-NONE-DH19 DPD=passive}
Nov 04 22:24:24 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #577: sent INFORMATIONAL request to delete established Child SA using IKE SA #1509
Nov 04 22:24:24 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #577: ESP traffic information: in=0B out=2KiB
Nov 05 06:08:28 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #2125: initiating rekey to replace Child SA #1549 using IKE SA #1509
Nov 05 06:08:28 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #2125: sent CREATE_CHILD_SA request to rekey Child SA #1549 using IKE SA #1509 {ESP <0x2d2ad6b1}
Nov 05 06:08:28 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #2125: initiator rekeyed Child SA #1549 using #1509; IPsec transport [A.B.C.148/32/UDP===A.B.C.58/32/UDP/6081] {ESP/ESN=>0x545639ff <0x2d2ad6b1 xfrm=AES_GCM_16_256-NONE-DH19 DPD=passive}
Nov 05 06:08:29 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #1549: sent INFORMATIONAL request to delete established Child SA using IKE SA #1509
Nov 05 06:08:29 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #1549: ESP traffic information: in=0B out=3KiB
Nov 05 06:11:47 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #2340: initiating rekey to replace IKE SA #1509 using IKE SA #1509
Nov 05 06:11:47 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #2340: sent CREATE_CHILD_SA request to rekey IKE SA #1509 (using IKE SA #1509)
Nov 05 06:11:47 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #2340: initiator rekeyed IKE SA #1509 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=DH19}
Nov 05 06:11:48 ip-A.B.C.148 pluto[8057]: "ovn-569d80-0-out-1" #1509: deleting IKE SA (ESTABLISHED_IKE_SA) aged 28067.011189s and sending notification