<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Using StrongSwan v5.7.1 on an embedded Linux system, I have an ipsec network setup where multiple devices(workers) will create tunnels to a single device(master). I’m having trouble with a scenario where when a new device(worker) comes
online and a tunnel is created to the master device, the previously connected tunnels go down. A dpdaction to restart on previously connected tunnels will re-establish the previously connected tunnels, but then that new device tunnel goes down. This creates
a loop where tunnels are continuous going down and up, and the tunnels are never stable and all up at once. Running an `ipsec update` or `ipsec reload` on the master device does not change this tunnel down/up loop.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m using Systemd to run the strongswan service. I’ve found that a `systemctl restart strongswan` on the master device will stop the continuous down/up of tunnels. I can script the master device to run `systemctl restart strongswan` after
new devices(workers) establish a tunnel; however if one of the multiple devices(workers) happens to reboot, then after the reboot, the device tunnel to master device will cause all existing to master to drop once again. Writing a service on the master device
to detect when worker devices reboot and to restart strongswan is not as feasible.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Has anyone ran into a similar issue and can help suggest what is a good course of action to take? I’m not sure if I am missing something in my ipsec configuration. Any suggestions or feedback would be helpful and greatly appreciated!
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Here is what my ipsec.conf files look like from master device & worker device:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># Master ipsec.conf<o:p></o:p></p>
<p class="MsoNormal"> config setup<o:p></o:p></p>
<p class="MsoNormal"> strictcrlpolicy=no<o:p></o:p></p>
<p class="MsoNormal"> charondebug="ike 4, knl 4, cfg 2"<o:p></o:p></p>
<p class="MsoNormal"> uniqueids = no<o:p></o:p></p>
<p class="MsoNormal"> conn %default<o:p></o:p></p>
<p class="MsoNormal"> rekey=no<o:p></o:p></p>
<p class="MsoNormal"> ike=aes256-sha256-modp2048<o:p></o:p></p>
<p class="MsoNormal"> esp=aes256-sha256-modp2048<o:p></o:p></p>
<p class="MsoNormal"> auto=start<o:p></o:p></p>
<p class="MsoNormal"> dpddelay=30<o:p></o:p></p>
<p class="MsoNormal"> dpdtimeout=120<o:p></o:p></p>
<p class="MsoNormal"> dpdaction=restart<o:p></o:p></p>
<p class="MsoNormal"> conn tunnel10.207.15.85-10.207.15.70<o:p></o:p></p>
<p class="MsoNormal"> keyexchange=ikev2<o:p></o:p></p>
<p class="MsoNormal"> left=10.207.15.85<o:p></o:p></p>
<p class="MsoNormal"> leftsubnet=<o:p></o:p></p>
<p class="MsoNormal"> leftcert=peerCert.pem<o:p></o:p></p>
<p class="MsoNormal"> right=10.207.15.70<o:p></o:p></p>
<p class="MsoNormal"> rightsubnet=<o:p></o:p></p>
<p class="MsoNormal"> leftid="C=US, O=Vertiv, CN=peer"<o:p></o:p></p>
<p class="MsoNormal"> rightid="C=US, O=Vertiv, CN=peer"<o:p></o:p></p>
<p class="MsoNormal"> conn tunnel10.96.0.1-10.207.15.70<o:p></o:p></p>
<p class="MsoNormal"> keyexchange=ikev2<o:p></o:p></p>
<p class="MsoNormal"> left=10.207.15.85<o:p></o:p></p>
<p class="MsoNormal"> leftsubnet=10.96.0.1<o:p></o:p></p>
<p class="MsoNormal"> leftcert=peerCert.pem<o:p></o:p></p>
<p class="MsoNormal"> right=10.207.15.70<o:p></o:p></p>
<p class="MsoNormal"> rightsubnet=<o:p></o:p></p>
<p class="MsoNormal"> leftid="C=US, O=Vertiv, CN=peer"<o:p></o:p></p>
<p class="MsoNormal"> rightid="C=US, O=Vertiv, CN=peer"<o:p></o:p></p>
<p class="MsoNormal"> conn tunnel10.207.15.85-10.207.15.23<o:p></o:p></p>
<p class="MsoNormal"> keyexchange=ikev2<o:p></o:p></p>
<p class="MsoNormal"> left=10.207.15.85<o:p></o:p></p>
<p class="MsoNormal"> leftsubnet=<o:p></o:p></p>
<p class="MsoNormal"> leftcert=peerCert.pem<o:p></o:p></p>
<p class="MsoNormal"> right=10.207.15.23<o:p></o:p></p>
<p class="MsoNormal"> rightsubnet=<o:p></o:p></p>
<p class="MsoNormal"> leftid="C=US, O=Vertiv, CN=peer"<o:p></o:p></p>
<p class="MsoNormal"> rightid="C=US, O=Vertiv, CN=peer"<o:p></o:p></p>
<p class="MsoNormal"> conn tunnel10.96.0.1-10.207.15.23<o:p></o:p></p>
<p class="MsoNormal"> keyexchange=ikev2<o:p></o:p></p>
<p class="MsoNormal"> left=10.207.15.85<o:p></o:p></p>
<p class="MsoNormal"> leftsubnet=10.96.0.1<o:p></o:p></p>
<p class="MsoNormal"> leftcert=peerCert.pem<o:p></o:p></p>
<p class="MsoNormal"> right=10.207.15.23<o:p></o:p></p>
<p class="MsoNormal"> rightsubnet=<o:p></o:p></p>
<p class="MsoNormal"> leftid="C=US, O=Vertiv, CN=peer"<o:p></o:p></p>
<p class="MsoNormal"> rightid="C=US, O=Vertiv, CN=peer"<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"># Worker ipsec.conf<o:p></o:p></p>
<p class="MsoNormal"> config setup<o:p></o:p></p>
<p class="MsoNormal"> strictcrlpolicy=no<o:p></o:p></p>
<p class="MsoNormal"> charondebug="ike 4, knl 4, cfg 2"<o:p></o:p></p>
<p class="MsoNormal"> uniqueids = no<o:p></o:p></p>
<p class="MsoNormal"> conn %default<o:p></o:p></p>
<p class="MsoNormal"> rekey=no<o:p></o:p></p>
<p class="MsoNormal"> ike=aes256-sha256-modp2048<o:p></o:p></p>
<p class="MsoNormal"> esp=aes256-sha256-modp2048<o:p></o:p></p>
<p class="MsoNormal"> auto=start<o:p></o:p></p>
<p class="MsoNormal"> dpddelay=30<o:p></o:p></p>
<p class="MsoNormal"> dpdtimeout=120<o:p></o:p></p>
<p class="MsoNormal"> dpdaction=restart<o:p></o:p></p>
<p class="MsoNormal"> conn tunnel10.207.15.85-10.207.15.70<o:p></o:p></p>
<p class="MsoNormal"> keyexchange=ikev2<o:p></o:p></p>
<p class="MsoNormal"> right=10.207.15.85<o:p></o:p></p>
<p class="MsoNormal"> rightsubnet=<o:p></o:p></p>
<p class="MsoNormal"> left=10.207.15.70<o:p></o:p></p>
<p class="MsoNormal"> leftsubnet=<o:p></o:p></p>
<p class="MsoNormal"> leftcert=peerCert.pem<o:p></o:p></p>
<p class="MsoNormal"> leftid="C=US, O=Vertiv, CN=peer"<o:p></o:p></p>
<p class="MsoNormal"> rightid="C=US, O=Vertiv, CN=peer"<o:p></o:p></p>
<p class="MsoNormal"> conn tunnel10.96.0.1-10.207.15.70<o:p></o:p></p>
<p class="MsoNormal"> keyexchange=ikev2<o:p></o:p></p>
<p class="MsoNormal"> right=10.207.15.85<o:p></o:p></p>
<p class="MsoNormal"> rightsubnet=10.96.0.1<o:p></o:p></p>
<p class="MsoNormal"> left=10.207.15.70<o:p></o:p></p>
<p class="MsoNormal"> leftsubnet=<o:p></o:p></p>
<p class="MsoNormal"> leftcert=peerCert.pem<o:p></o:p></p>
<p class="MsoNormal"> leftid="C=US, O=Vertiv, CN=peer"<o:p></o:p></p>
<p class="MsoNormal"> rightid="C=US, O=Vertiv, CN=peer"<o:p></o:p></p>
</div>
CONFIDENTIALITY NOTICE: This e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and may contain confidential and privileged information protected by law. If you received this e-mail
in error, any review, use, dissemination, distribution, or copying of the e-mail is strictly prohibited. Please notify the sender immediately by return e-mail and delete all copies from your system.
</body>
</html>