<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class="">Hi Tobias,</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Thanks for your response, I have a couple follow-on questions.</div>
<div class=""><br class="">
</div>
<div class="">1. Regarding the DNS explanation to question #1 below, is this Charon behavior considered erroneous with a defect logged? If so, when might a fix appear for it? You mention a “workaround” using refcounting. Is this something that can be done
at the user level? Or are you proposing a fix to StrongSwan internals?</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">2. The below up/down logic still seems erroneous, let me explain by way of example. Note that I’m using the default up/down script in /usr/libexec/strongswan/_updown as provided by StrongSwan.</div>
<div class=""><br class="">
</div>
<div class="">2a. First, the initiator establishes the IPsec tunnel at 17:23:49 with the responder. Here are the log file entries. Note that there are no errors in the log, that is, the up/down script correctly installs the iptables entries correctly at
17:23:49.</div>
<div class=""><br class="">
</div>
<div class="">
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux 2.6.32-504.el6.x86_64, x86_64)</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 00[LIB] openssl FIPS mode(2) - enabled</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 00[CFG] loaded IKE secret for %any</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 00[CFG] loaded EAP secret for my-user</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac ctr ccm curl attr kernel-netlink
resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 00[JOB] spawning 16 worker threads</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 06[CFG] received stroke: add connection 'dm-psk'</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 06[CFG] left nor right host is our side, assuming left=local</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 06[CFG] added configuration 'dm-psk'</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 09[CFG] received stroke: add connection 'dm-pki'</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 09[CFG] left nor right host is our side, assuming left=local</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 09[LIB] opening '/etc/strongswan/ipsec.d/certs/czsecgw-client.crt' failed: No such file or directory</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 09[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 09[CFG] loading certificate from 'czsecgw-client.crt' failed</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:46 initiator charon: 09[CFG] added configuration 'dm-pki'</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 05[CFG] received stroke: initiate 'dm-psk'</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 08[IKE] initiating IKE_SA dm-psk[1] to re.sp.on.der</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 08[NET] sending packet: from 10.0.1.36[500] to re.sp.on.der[500] (1436 bytes)</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 06[NET] received packet: from re.sp.on.der[500] to 10.0.1.36[500] (456 bytes)</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 06[IKE] local host is behind NAT, sending keep alives</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 06[IKE] remote host is behind NAT</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 06[IKE] authentication of 'my-user' (myself) with pre-shared key</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 06[IKE] establishing CHILD_SA dm-psk</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(AUTH_FOLLOWS) ]</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 06[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (428 bytes)</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 10[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (124 bytes)</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr AUTH ]</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 10[IKE] authentication of '<a href="http://resonder.domain.com" class="">resonder.domain.com</a>' with pre-shared key successful</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 10[ENC] generating IKE_AUTH request 2 [ IDi ]</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 10[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (76 bytes)</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 09[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (92 bytes)</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 09[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/GTC ]</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 09[IKE] server requested EAP_GTC authentication (id 0x24)</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 09[ENC] generating IKE_AUTH request 3 [ EAP/RES/GTC ]</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:48 initiator charon: 09[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (92 bytes)</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 11[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (76 bytes)</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 11[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 11[IKE] EAP method EAP_GTC succeeded, no MSK established</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 11[IKE] authentication of 'my-user' (myself) with EAP</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 11[ENC] generating IKE_AUTH request 4 [ AUTH ]</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 11[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (92 bytes)</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 12[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (300 bytes)</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 12[ENC] parsed IKE_AUTH response 4 [ AUTH CPRP(ADDR U_SPLITINC U_LOCALLAN DNS U_DEFDOM DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 12[IKE] authentication of '<a href="http://resonder.domain.com" class="">resonder.domain.com</a>' with EAP successful</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 12[IKE] IKE_SA dm-psk[1] established between 10.0.1.36[my-user]...re.sp.on.der[<a href="http://resonder.domain.com" class="">resonder.domain.com</a>]</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 12[IKE] scheduling reauthentication in 9837s</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 12[IKE] maximum IKE_SA lifetime 10377s</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 12[CFG] handling UNITY_SPLIT_INCLUDE attribute failed</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 12[CFG] handling UNITY_LOCAL_LAN attribute failed</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 12[IKE] installing DNS server 10.8.194.96 to /etc/resolv.conf</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 12[CFG] handling UNITY_DEF_DOMAIN attribute failed</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 12[IKE] installing DNS server 10.8.194.96 to /etc/resolv.conf</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 12[IKE] installing new virtual IP 10.255.252.2</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator charon: 12[IKE] CHILD_SA dm-psk{1} established with SPIs cbbf0a75_i 0d8253d3_o and TS 10.255.252.2/32 === 10.8.192.0/19</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Nov 11 17:23:49 initiator vpn: + <a href="http://resonder.domain.com" class="">resonder.domain.com</a> 10.8.192.0/19 == re.sp.on.der -- 10.0.1.36 == 10.255.252.2/32</div>
<div style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227); min-height: 14px;" class="">
<div style="margin: 0px; line-height: normal;" class="">Nov 11 17:23:49 initiator charon: 12[IKE] received AUTH_LIFETIME of 9844s, scheduling reauthentication in 9304s</div>
<div style="margin: 0px; line-height: normal;" class="">Nov 11 17:23:49 initiator charon: 12[IKE] peer supports MOBIKE</div>
</div>
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">2b. At 20:02:51, the re-authentication of IKE_SA begins and at 20:02:52, the CHILD_SA dm-psk{5} is established. Immediately after that, the updown script is called with event up-client:iptables. However, all the iptables commands fail. This
is the exact same code that succeeded at tunnel creation time (17:23:49) so it must be the case that StrongSwan has changed the environment so that the iptables commands fail. After all, why re-install iptables rules that are already correctly installed?
</div>
<div class=""><br class="">
</div>
<div class="">Shortly afterward, still at 20:02:51, the updown script is called a second time with event down-client:iptables. Again, the environment is set such that the iptables commands fail. If they succeeded, the commands would remove all of the tunnel
routing and the tunnel would effectively be down, which is the purpose of the down event. Then Charon removes the DNS entry on the initiator. The tunnel is still up but now the initiator has now lost DNS.</div>
<div class=""><br class="">
</div>
<div class="">Why make updown script calls at all in the make-before-break case? If they’re needed, why make the up call before the down call?</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 07[IKE] reauthenticating IKE_SA dm-psk[1]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 07[IKE] installing new virtual IP 10.255.252.2</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 07[IKE] initiating IKE_SA dm-psk[2] to re.sp.on.der</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 07[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (1436 bytes)</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 04[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (456 bytes)</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 04[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 04[IKE] local host is behind NAT, sending keep alives</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 04[IKE] remote host is behind NAT</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 04[IKE] authentication of 'my-user' (myself) with pre-shared key</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 04[IKE] establishing CHILD_SA dm-psk</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 04[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(AUTH_FOLLOWS) ]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 04[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (428 bytes)</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 06[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (124 bytes)</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 06[ENC] parsed IKE_AUTH response 1 [ IDr AUTH ]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 06[IKE] authentication of '<a href="http://responder.domain.com" class="">responder.domain.com</a>' with pre-shared key successful</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 06[ENC] generating IKE_AUTH request 2 [ IDi ]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 06[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (76 bytes)</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 13[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (92 bytes)</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 13[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/GTC ]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 13[IKE] server requested EAP_GTC authentication (id 0x79)</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 13[ENC] generating IKE_AUTH request 3 [ EAP/RES/GTC ]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 13[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (92 bytes)</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 09[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (76 bytes)</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 09[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 09[IKE] EAP method EAP_GTC succeeded, no MSK established</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 09[IKE] authentication of 'my-user' (myself) with EAP</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 09[ENC] generating IKE_AUTH request 4 [ AUTH ]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:51 initiator charon: 09[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (92 bytes)</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (300 bytes)</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[ENC] parsed IKE_AUTH response 4 [ AUTH CPRP(ADDR U_SPLITINC U_LOCALLAN DNS U_DEFDOM DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[IKE] authentication of '<a href="http://responder.domain.com" class="">responder.domain.com</a>' with EAP successful</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[IKE] IKE_SA dm-psk[2] established between 10.0.1.36[my-user]...re.sp.on.der[<a href="http://responder.domain.com" class="">responder.domain.com</a>]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[IKE] scheduling reauthentication in 10092s</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[IKE] maximum IKE_SA lifetime 10632s</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[CFG] handling UNITY_SPLIT_INCLUDE attribute failed</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[CFG] handling UNITY_LOCAL_LAN attribute failed</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[IKE] installing DNS server 10.8.194.96 to /etc/resolv.conf</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[CFG] handling UNITY_DEF_DOMAIN attribute failed</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[IKE] installing DNS server 10.8.194.96 to /etc/resolv.conf</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[IKE] installing new virtual IP 10.255.252.2</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[IKE] CHILD_SA dm-psk{5} established with SPIs ce54cd29_i 759cb598_o and TS 10.255.252.2/32 === 10.8.192.0/19</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[CHD] updown: /usr/libexec/strongswan/_updown: line 300: iptables: command not found</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[CHD] updown: /usr/libexec/strongswan/_updown: line 303: iptables: command not found</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[CHD] updown: /usr/libexec/strongswan/_updown: line 312: iptables: command not found</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[CHD] updown: /usr/libexec/strongswan/_updown: line 315: iptables: command not found</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator vpn: + <a href="http://responder.domain.com" class="">responder.domain.com</a> 10.8.192.0/19 == re.sp.on.der -- 10.0.1.36 == 10.255.252.2/32</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[IKE] received AUTH_LIFETIME of 9930s, scheduling reauthentication in 9390s</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 15[IKE] peer supports MOBIKE</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 10[IKE] deleting IKE_SA dm-psk[1] between 10.0.1.36[my-user]...re.sp.on.der[<a href="http://responder.domain.com" class="">responder.domain.com</a>]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 10[IKE] sending DELETE for IKE_SA dm-psk[1]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 10[ENC] generating INFORMATIONAL request 12 [ D ]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 10[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (76 bytes)</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 14[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (76 bytes)</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 14[ENC] parsed INFORMATIONAL response 12 [ ]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 14[IKE] IKE_SA deleted</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 14[CHD] updown: /usr/libexec/strongswan/_updown: line 348: iptables: command not found</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 14[CHD] updown: /usr/libexec/strongswan/_updown: line 352: iptables: command not found</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 14[CHD] updown: /usr/libexec/strongswan/_updown: line 362: iptables: command not found</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 14[CHD] updown: /usr/libexec/strongswan/_updown: line 366: iptables: command not found</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator vpn: - <a href="http://responder.domain.com" class="">responder.domain.com</a> 10.8.192.0/19 == re.sp.on.der -- 10.0.1.36 == 10.255.252.2/32</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 14[IKE] removing DNS server 10.8.194.96 from /etc/resolv.conf</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 14[IKE] removing DNS server 10.8.194.96 from /etc/resolv.conf</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 14[IKE] removing DNS server 10.8.194.96 from /etc/resolv.conf</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:02:52 initiator charon: 14[IKE] removing DNS server 10.8.194.96 from /etc/resolv.conf</div>
</div>
<div class="">
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:03:15 initiator charon: 11[IKE] sending keep alive to re.sp.on.der[4500]</div>
<div class="" style="margin: 0px; line-height: normal; font-family: Courier; background-color: rgb(226, 225, 227);">
Nov 11 20:03:22 initiator charon: 04[IKE] sending DPD request</div>
<div class=""><br class="">
</div>
</div>
</div>
<div class=""><br class="">
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Nov 18, 2015, at 4:18 AM, Tobias Brunner <<a href="mailto:tobias@strongswan.org" class="">tobias@strongswan.org</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">Hi Ken,<br class="">
<br class="">
<blockquote type="cite" class="">Questions<br class="">
<br class="">
1. How to prevent Charon from removing the name server configuration<br class="">
from /etc/resolv.conf in the IKA_SA re-authentication case?<br class="">
</blockquote>
<br class="">
You currently can't. I guess the resolve plugin could do some<br class="">
refcounting for installed DNS servers (like we do for virtual IPs in<br class="">
other plugins), which would workaround that problem.<br class="">
<br class="">
<blockquote type="cite" class="">2. Why does the up/down script get invoked during IKE_SA<br class="">
re-authentication? When “make before break” is enabled, the up/down<br class="">
script invocation seems backward/awkward. That is, up/down is invoked<br class="">
with an ‘up’ notification at the initial establishment of the tunnel,<br class="">
then again with a second ‘up’ notification during the “make before<br class="">
break”, then finally with a ‘down’ notification even though the tunnel<br class="">
is up?!?<br class="">
</blockquote>
<br class="">
Reauthentication in IKEv2 creates a new IKE_SA and a new set of the<br class="">
already existing CHILD_SAs. Either the old stuff gets torn down first<br class="">
(break-before-make) or that's done after completing the new stuff<br class="">
(make-before-break). Since every CHILD_SA gets an "up" event when it is<br class="">
installed, and a "down" event when it is uninstalled what you see is a<br class="">
logical consequence. There is no relationship between the SAs unlike<br class="">
when rekeying is used (where these events are suppressed), so you get an<br class="">
initial "up" then an "up" for the newly created SA and then a "down" for<br class="">
the old SA. While a client that initiates a make-before-break<br class="">
reauthentication could probably pretend there is some kind of<br class="">
relationship between these SAs, a server can't do that without using<br class="">
heuristics to detect reauthentications, like the ones we use for IKEv1<br class="">
(which might not always work as expected). If you don't _need_<br class="">
reauthentication you should probably use rekeying instead.<br class="">
<br class="">
<blockquote type="cite" class="">3. Aside: why does /usr/libexec/strongswan/_updown fail to find iptables?<br class="">
</blockquote>
<br class="">
No idea. Perhaps your PATH does not include its location or the user<br class="">
has no permission to access it (or perhaps due to some hardening<br class="">
mechanism like SELinux/AppArmor).<br class="">
<br class="">
Regards,<br class="">
Tobias<br class="">
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</body>
</html>