<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>I've noticed that on some of my strongswan servers, overtime clients begin to start having trouble connecting to 1 of the three connections defined in the ipsec.conf file. If I restart the ipsec server, clients have no trouble connecting anymore.<div><br></div><div>I am using strongswan version 5.04 on ubuntu 12.04.</div><div><br></div><div>Below is my configuration and the relevant errors and success logs (sanitized to an extent)</div><div><br></div><div>Does anyone have any idea what could be causing this?<br><br><div># ipsec.conf - strongSwan IPsec configuration file</div><div><br></div><div># basic configuration</div><div><br></div><div>config setup</div><div> charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1, asn 1, enc 1, lib 1, esp 1, tls 1"</div><div> #plutodebug=all</div><div> # crlcheckinterval=600</div><div> strictcrlpolicy=no</div><div> # cachecrls=yes</div><div> # charondebug=4</div><div> nat_traversal=yes</div><div> #charonstart=no</div><div> #plutostart=no</div><div><br></div><div>ca servers</div><div> auto=add</div><div><br></div><div>conn %default</div><div> ikelifetime=60m</div><div> keylife=20m</div><div> rekeymargin=3m</div><div> keyingtries=1</div><div> keyexchange=ikev1</div><div> auto=add</div><div><br></div><div>conn iphone-general</div><div> keyexchange=ikev1</div><div> rightauth=pubkey</div><div> rightauth2=xauth-pam</div><div> left=%defaultroute</div><div> leftid=@domain.name3</div><div> leftsubnet=0.0.0.0/0</div><div> leftfirewall=no</div><div> leftcert=defaultCert.pem</div><div> right=%any</div><div> rightsubnet=10.253.0.0/16</div><div> rightsourceip=10.253.0.0/16</div><div> # Require all subject fields to be matched by star</div><div> # As well as CA's pull in</div><div> rightid="C=DEF, ST=*, L=*, O=*, CN=*, E=*"</div><div> fragmentation=yes</div><div> auto=add</div><div> # Dead peer detection can cause issue</div><div> # resulting in hanging connections for iOS</div><div> # Not sure on the root cause of why though</div><div> # dpddelay=30</div><div> # dpdtimeout=120</div><div> # dpdaction=clear</div><div><br></div><div>conn iphone-geo</div><div> keyexchange=ikev1</div><div> rightauth=pubkey</div><div> rightauth2=xauth-pam</div><div> left=%defaultroute</div><div> leftid=@domain.name2</div><div> leftsubnet=0.0.0.0/0</div><div> leftfirewall=no</div><div> leftcert=geoCert.pem</div><div> right=%any</div><div> rightsubnet=10.255.0.0/16</div><div> rightsourceip=10.255.0.0/16</div><div> # Require all subject fields to be matched by star</div><div> # As well as CA's pull in</div><div> rightid="C=US, ST=*, L=*, O=*, CN=*, E=*"</div><div> fragmentation=yes</div><div> auto=add</div><div><br></div><div><br></div><div>conn iphone-ios8</div><div> keyexchange=ikev1</div><div> rightauth=pubkey</div><div> rightauth2=xauth-pam</div><div> left=%defaultroute</div><div> leftid=@domain.name</div><div> leftsubnet=0.0.0.0/0</div><div> leftfirewall=no</div><div> leftcert=ios8.pem</div><div> right=%any</div><div> rightsubnet=10.251.0.0/16</div><div> rightsourceip=10.251.0.0/16</div><div> # Require all subject fields to be matched by star</div><div> # As well as CA's pull in</div><div> rightid="C=*, ST=*, L=*, O=*, CN=*, E=*"</div><div> fragmentation=yes</div><div> auto=add</div><div><br></div><div><br></div><div>Logs from client where it fails to validate the signature.</div><div><br></div><div><div>Dec 1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[CFG] checking certificate status of "C=CA, ST=state, L=city, O=Company, CN=ipsec.Company.mobi, E=ops@Company.com"</div><div>Dec 1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[CFG] certificate status is not available</div><div>Dec 1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[CFG] using trusted ca certificate "C=CA, ST=state, L=city, O=Company, CN=Company CA, E=ops@Company.com"</div><div>Dec 1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[CFG] checking certificate status of "C=CA, ST=state, O=Company, CN=Company Intermediate CA, E=ops@Company.com"</div><div>Dec 1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[CFG] certificate status is not available</div><div>Dec 1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[CFG] reached self-signed root ca with a path length of 1</div><div>Dec 1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[IKE] signature validation failed, looking for another key</div><div>Dec 1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[IKE] no trusted RSA public key found for 'ipsec.Company.mobi'</div><div>Dec 1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[IKE] deleting IKE_SA client[1] between 10.0.2.15[C=DEF, ST=state, L=city, O=Company, CN=sprinkler_server, E=josh+6474474654226372364145163867877661111424@Company.com]...23.105.140.23[ipsec.company.mobi]</div><div>Dec 1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[IKE] sending DELETE for IKE_SA client[1]</div></div><div><br></div><div>Logs from after restart where it connections without an issue.</div><div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG] certificate status is not available</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG] reached self-signed root ca with a path length of 0</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG] using trusted certificate "C=DEF, ST=state, L=city, O=Company, CN=sprinkler_server, E=josh+6474474654226372364145163867877661111424@Company.com"</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[IKE] signature validation failed, looking for another key</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG] using certificate "C=CA, ST=state, L=city, O=Company, CN=ipsec.Company.mobi, E=ops@Company.com"</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG] using trusted intermediate ca certificate "C=CA, ST=state, O=Company, CN=Company Intermediate CA, E=ops@Company.com"</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG] checking certificate status of "C=CA, ST=state, L=city, O=Company, CN=ipsec.Company.mobi, E=ops@Company.com"</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG] certificate status is not available</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG] using trusted ca certificate "C=CA, ST=state, L=city, O=Company, CN=Company CA, E=ops@Company.com"</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG] checking certificate status of "C=CA, ST=state, O=Company, CN=Company Intermediate CA, E=ops@Company.com"</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG] certificate status is not available</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG] reached self-signed root ca with a path length of 1</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[IKE] authentication of 'ipsec.Company.mobi' with RSA successful</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 05[NET] received packet: from 23.105.140.23[4500] to 10.0.2.15[4500] (76 bytes)</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 05[ENC] parsed TRANSACTION request 1975513490 [ HASH CP ]</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 05[ENC] generating TRANSACTION response 1975513490 [ HASH CP ]</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 05[NET] sending packet: from 10.0.2.15[4500] to 23.105.140.23[4500] (188 bytes)</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 03[NET] received packet: from 23.105.140.23[4500] to 10.0.2.15[4500] (76 bytes)</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 03[ENC] parsed TRANSACTION request 948789398 [ HASH CP ]</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 03[IKE] XAuth authentication of '65a6f50cc061eef61b8846223b2fd3b55d28c1c1' (myself) successful</div><div>Dec 1 17:26:31 vagrant-ubuntu-precise-64 charon: 03[IKE] IKE_SA client[1] established between 10.0.2.15[C=DEF, ST=state, L=city, O=Company, CN=sprinkler_server, E=josh+6474474654226372364145163867877661111424@Company.com]...23.105.140.23[ipsec.Company.mobi]</div></div><br><hr style="width:100%;height:2px;"><br><br><br>Joshua J. Gross<br></div> </div></body>
</html>