<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO8859_1">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 3/3/2020 4:09 AM, Michael
Schwartzkopff wrote:<br>
</div>
<blockquote type="cite"
cite="mid:39f6dd00-6153-19b3-71ac-dc10e5adbd36@sys4.de">
<pre class="moz-quote-pre" wrap="">On 26.02.20 23:50, Mark wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hi,
I have a couple of random seeming problems between Meraki MX devices and
Strongswan via pfsense and I'm at a bit of a loss on how to gather more
information. Hoping for some pointers here
Thanks
Mark
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Please send logs of both sides during an outage.
Mit freundlichen Grüßen,
</pre>
</blockquote>
Sure, <br>
<br>
Part of my problem is how sparse the logs on the Meraki side are.<br>
<br>
<br>
<div style="">
<div>This is the lone log entry relating to the SPI that
strongswan says was just rekeyed and it comes about 30 seconds
after the rekey. And the Meraki attributes this to the wrong
port, 500. I've confirmed in packet captures that there are no
packets leaving the strongswan machine on port 500 at this time.<br>
<br>
I don't see an IPSEC-SA Established message for this SPI. <br>
</div>
<div><br>
</div>
<div>
<div>
<table class="filter compact fill" style="box-sizing: inherit;
border-spacing: 0px; font-size: 11px; color: rgb(34, 34,
34); font-family: cisco-sans, Helvetica, Arial, sans-serif;
background-color: rgb(255, 255, 255);" width="1128"
height="25">
<tbody class="flex-table-body" style="box-sizing: inherit;">
<tr class="ft1" style="box-sizing: inherit;
background-color: rgb(248, 248, 248);">
<td class="ft notranslate el_time" style="box-sizing:
inherit; padding: 3px 5px; white-space: nowrap;
border-left: 1px solid rgb(221, 221, 221);">
Feb 19 13:22:05</td>
<td class="ft notranslate el_client" style="box-sizing:
inherit; padding: 3px 5px;">
<br>
</td>
<td class="ft el_type" style="box-sizing: inherit;
padding: 3px 5px;"><span data-type="vpn"
style="box-sizing: inherit;">Non-Meraki / Client VPN
negotiation</span></td>
<td class="ft notranslate el_details" style="box-sizing:
inherit; padding: 3px 5px; border-right: 1px solid
rgb(221, 221, 221);">
msg: IPsec-SA expired: ESP/Tunnel
StrongSwan[500]->Meraki[500]
spi=70683595(0x4368bcb)</td>
</tr>
</tbody>
</table>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>On the pfsense side, I see </div>
<div><br>
</div>
<div><br>
</div>
<div>
<div id="xf9ac7df96e11434fa5a5e1ad281b6f03">
<div class="plain" style="zoom: 0.9;"><tt
style="word-wrap:break-word">
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[CHD] <con41000|3509> CHILD_SA con41000{27919}
state change: INSTALLED => REKEYING</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[IKE] <con41000|3509> queueing QUICK_MODE task</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[IKE] <con41000|3509> activating new tasks</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[IKE] <con41000|3509> activating QUICK_MODE task</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[ENC] <con41000|3509> generating QUICK_MODE
request 2820287288 [ HASH SA No ID ID ]</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[NET] <con41000|3509> sending packet: from
StrongSwan[4500] to Meraki[4500] (188 bytes)</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[NET] <con41000|3509> received packet: from
Meraki[4500] to StrongSwan[4500] (172 bytes)</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[ENC] <con41000|3509> parsed QUICK_MODE response
2820287288 [ HASH SA No ID ID ]</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[CFG] <con41000|3509> selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[CHD] <con41000|3509> CHILD_SA con41000{27976}
state change: CREATED => INSTALLING</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[CHD] <con41000|3509> using AES_CBC for
encryption</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[CHD] <con41000|3509> using HMAC_SHA1_96 for
integrity</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[CHD] <con41000|3509> adding inbound ESP SA</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[CHD] <con41000|3509> SPI 0xc57cb1e0, src Meraki
dst StrongSwan</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[CHD] <con41000|3509> adding outbound ESP SA</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[CHD] <con41000|3509> SPI 0x04368bcb, src
StrongSwan dst Meraki</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[IKE] <con41000|3509> CHILD_SA con41000{27976}
established with SPIs c57cb1e0_i 04368bcb_o and TS
10.10.58.0/24|/0 === 10.41.1.0/24|/0</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[CHD] <con41000|3509> CHILD_SA con41000{27976}
state change: INSTALLING => INSTALLED</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[CHD] <con41000|3509> CHILD_SA con41000{27919}
state change: REKEYING => REKEYED</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[IKE] <con41000|3509> reinitiating already
active tasks</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[IKE] <con41000|3509> QUICK_MODE task</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[ENC] <con41000|3509> generating QUICK_MODE
request 2820287288 [ HASH ]</div>
<div class="plain_line">Feb 19 13:21:35 pfsense charon:
16[NET] <con41000|3509> sending packet: from
StrongSwan[4500] to Meraki[4500] (60 bytes)</div>
<div class="plain_line"><br>
</div>
<div class="plain_line">Feb 19 13:21:39 pfsense charon:
10[NET] <con41000|3509> received packet: from
Meraki[4500] to StrongSwan[4500] (92 bytes)</div>
<div class="plain_line">Feb 19 13:21:39 pfsense charon:
10[ENC] <con41000|3509> parsed INFORMATIONAL_V1
request 3697651456 [ HASH N(DPD) ]</div>
<div class="plain_line">Feb 19 13:21:39 pfsense charon:
10[IKE] <con41000|3509> queueing ISAKMP_DPD task</div>
<div class="plain_line">Feb 19 13:21:39 pfsense charon:
10[IKE] <con41000|3509> activating ISAKMP_DPD task</div>
<div class="plain_line">Feb 19 13:21:39 pfsense charon:
10[ENC] <con41000|3509> generating
INFORMATIONAL_V1 request 590966734 [ HASH N(DPD_ACK) ]</div>
<div class="plain_line">Feb 19 13:21:39 pfsense charon:
10[NET] <con41000|3509> sending packet: from
StrongSwan[4500] to Meraki[4500] (92 bytes)</div>
<div class="plain_line">Feb 19 13:21:45 pfsense charon:
13[IKE] <con41000|3509> sending DPD request</div>
<div class="plain_line">Feb 19 13:21:45 pfsense charon:
13[IKE] <con41000|3509> queueing ISAKMP_DPD task</div>
<div class="plain_line">Feb 19 13:21:45 pfsense charon:
13[IKE] <con41000|3509> activating new tasks</div>
<div class="plain_line">Feb 19 13:21:45 pfsense charon:
13[IKE] <con41000|3509> activating ISAKMP_DPD task</div>
<div class="plain_line">Feb 19 13:21:45 pfsense charon:
13[ENC] <con41000|3509> generating
INFORMATIONAL_V1 request 636601268 [ HASH N(DPD) ]</div>
<div class="plain_line">Feb 19 13:21:45 pfsense charon:
13[NET] <con41000|3509> sending packet: from
StrongSwan[4500] to Meraki[4500] (92 bytes)</div>
<div class="plain_line">Feb 19 13:21:45 pfsense charon:
13[IKE] <con41000|3509> activating new tasks</div>
<div class="plain_line">Feb 19 13:21:45 pfsense charon:
13[IKE] <con41000|3509> nothing to initiate</div>
<div class="plain_line">Feb 19 13:21:45 pfsense charon:
13[NET] <con41000|3509> received packet: from
Meraki[4500] to StrongSwan[4500] (172 bytes)</div>
<div class="plain_line">Feb 19 13:21:45 pfsense charon:
13[IKE] <con41000|3509> received retransmit of
response with ID 2820287288, but next request already
sent</div>
<div class="plain_line">Feb 19 13:21:45 pfsense charon:
13[NET] <con41000|3509> received packet: from
Meraki[4500] to StrongSwan[4500] (92 bytes)</div>
<div class="plain_line">Feb 19 13:21:45 pfsense charon:
13[ENC] <con41000|3509> parsed INFORMATIONAL_V1
request 2399362346 [ HASH N(DPD_ACK) ]<br>
<br>
At a network level, I'm wondering if a packet isn't
getting to the Meraki side. Perhaps a packet that is
supposed to confirm the establishment of the SPI. It's
very difficult to capture traffic on the meraki side
when this problem is happening so I can't confirm this.<br>
<br>
If anyone has any pointers packet analysis for IPSEC,
that would be appreciated.<br>
</div>
</tt></div>
</div>
</div>
</div>
</body>
</html>