[strongSwan-dev] FreeBSD 10.0 road warrior re-authentication problem

David Shane Holden dpejesh at yahoo.com
Tue Jun 17 02:39:18 CEST 2014 

Hey,

I've been experiencing a problem with re-authentication and tun devices 
Both ends of the VPN are running Strongswan 5.2.0dr6 on FreeBSD 10.0 
with one end configured as a road warrior.

static endpoint - ipsec.conf:
   config setup

   conn %default
     ikelifetime=480m
     keyexchange=ikev2
     keyingtries=1
     keylife=20m
     rekeymargin=3m

   conn vpn
     auto=add
     left=192.168.1.24
     leftauth=pubkey
     leftcert=vpn.example.com.pem
     leftid="CN=vpn.example.com"
     leftsubnet=192.168.1.0/24
     right=%any
     rightauth=pubkey
     rightid=%any
     rightsourceip=192.168.254.0/24
     type=tunnel

roadwarrior - ipsec.conf:
   config setup
     charondebug="lib 4"

   conn %default
     ikelifetime=10m
     keyexchange=ikev2
     keyingtries=1
     keylife=5m
     rekeymargin=3m

   conn vpn
     auto=add
     left=%any
     leftcert=me at example.com.pem
     leftsourceip=%config
     right=xx.xx.39.13
     rightid="CN=vpn.example.com"
     rightsubnet=192.168.1.0/24
     type=tunnel

The problem appears to be related specifically when reauthentication 
happens. The following is reported on the roadwarrior when that kicks in

16[KNL] unable to query SAD entry with SPI c1cf75d3: No such file or 
directory (2)
16[IKE] reauthenticating IKE_SA vpn[1]
16[IKE] deleting IKE_SA vpn[1] between xx.xx.147.104[CN=me at example.com, 
E=me at example.com]...xx.xx.39.13[CN=vpn.example.com]
16[IKE] sending DELETE for IKE_SA vpn[1]
16[ENC] generating INFORMATIONAL request 3 [ D ]
16[NET] sending packet: from xx.xx.147.104[4500] to xx.xx.39.13[4500] 
(76 bytes)
16[NET] received packet: from xx.xx.39.13[4500] to xx.xx.147.104[4500] 
(76 bytes)
16[ENC] parsed INFORMATIONAL response 3 [ ]
16[IKE] IKE_SA deleted
16[IKE] installing new virtual IP 192.168.254.1
16[LIB] created TUN device: tun1
15[KNL] interface tun1 appeared
16[IKE] restarting CHILD_SA vpn
15[KNL] interface tun1 activated
16[IKE] initiating IKE_SA vpn[2] to xx.xx.39.13
16[LIB] size of DH secret exponent: 2047 bits
16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) ]
16[NET] sending packet: from xx.xx.147.104[500] to xx.xx.39.13[500] 
(1132 bytes)
16[KNL] unable to delete SAD entry with SPI c1cf75d3: No such file or 
directory (2)
06[KNL] interface tun0 deactivated
07[NET] received packet: from xx.xx.39.13[500] to xx.xx.147.104[500] 
(465 bytes)
07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
07[IKE] local host is behind NAT, sending keep alives
07[IKE] remote host is behind NAT
07[IKE] received cert request for "CN=example.com certificate authority, 
E=ca at example.com"
07[IKE] sending cert request for "CN=example.com certificate authority, 
E=ca at example.com"
07[IKE] authentication of 'CN=me at example.com, E=me at example.com' (myself) 
with RSA signature successful
07[IKE] sending end entity cert "CN=me at example.com, E=me at example.com"
07[IKE] establishing CHILD_SA vpn{1}
07[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ 
IDr AUTH CPRQ(ADDR DNS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) 
N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
07[NET] sending packet: from xx.xx.147.104[4500] to xx.xx.39.13[4500] 
(2668 bytes)
07[NET] received packet: from xx.xx.39.13[4500] to xx.xx.147.104[4500] 
(2348 bytes)
07[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) 
N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
07[IKE] received end entity cert "CN=vpn.example.com"
07[CFG]   using certificate "CN=vpn.example.com"
07[CFG]   using trusted ca certificate "CN=example.com certificate 
authority, E=ca at example.com"
07[CFG] checking certificate status of "CN=vpn.example.com"
07[CFG] certificate status is not available
07[CFG]   reached self-signed root ca with a path length of 0
07[IKE] authentication of 'CN=vpn.example.com' with RSA signature successful
07[IKE] IKE_SA vpn[2] established between 
xx.xx.147.104[CN=me at example.com, 
E=me at example.com]...xx.xx.39.13[CN=vpn.example.com]
07[IKE] scheduling reauthentication in 288s
07[IKE] maximum IKE_SA lifetime 468s
07[IKE] installing DNS server 192.168.1.13 via resolvconf
08[KNL] 192.168.254.1 disappeared from tun1
07[IKE] installing new virtual IP 192.168.254.1
08[KNL] interface tun1 deactivated
07[LIB] created TUN device: tun2
16[KNL] interface tun0 activated
16[KNL] fe80::f2de:f1ff:fead:512f appeared on tun0
05[KNL] 192.168.254.1 appeared on tun0
07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
07[IKE] CHILD_SA vpn{1} established with SPIs c0f19027_i cd32d518_o and 
TS 192.168.254.1/32 === 192.168.1.0/24
07[IKE] received AUTH_LIFETIME of 28464s, reauthentication already 
scheduled in 288s
07[IKE] peer supports MOBIKE
05[IKE] sending address list update using MOBIKE
05[ENC] generating INFORMATIONAL request 2 [ N(ADD_4_ADDR) ]
05[NET] sending packet: from xx.xx.147.104[4500] to xx.xx.39.13[4500] 
(76 bytes)
05[NET] received packet: from xx.xx.39.13[4500] to xx.xx.147.104[4500] 
(76 bytes)
05[ENC] parsed INFORMATIONAL response 2 [ ]
05[IKE] sending keep alive to xx.xx.39.13[4500]
05[IKE] sending keep alive to xx.xx.39.13[4500]

$ ifconfig tun0
ifconfig: interface tun0 does not exist
$ ifconfig tun2
tun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
         options=80000<LINKSTATE>
         inet6 fe80::f2de:f1ff:fead:512f%tun2 prefixlen 64 scopeid 0x5
         inet 192.168.254.1 --> 192.168.254.1 netmask 0xffffffff
         nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
         Opened by PID 3865

I'm not sure of the importance of the 'unable to query/delete SAD entry'
messages, but everything works fine until this reauth happens then no 
traffic passes over the tunnel from the roadwarrior, but traffic from 
the static end of the VPN can still reach the roadwarrior.  If I set 
ikelifetime=480m it will work flawlessly that whole time, or if I set it 
to 10 minutes it'll work fine until the reauth.  As best as I can tell 
Strongswan attempts to kill off the original tun0 device and spin up the 
VIP on tun1, but then for some reason it kills that off too and 
activates tun2 but then reports the VIP  was found on tun0 which no 
longer exists.  I think it's getting confused on where that VIP is and 
where to route the traffic since the tunnel stays up and continues to 
reauthenticate and spin up new tun devices until I drop it. I've also 
noticed that just dropping the tunnel and bringing it up (ipsec down, 
ipsec up) doesn't work either.  Strongswan will attempt to use the next 
tun device but will report

15[IKE] installing new virtual IP 192.168.254.1
15[LIB] created TUN device: tun11
14[KNL] interface tun0 activated
10[KNL] fe80::f2de:f1ff:fead:512f appeared on tun0
10[KNL] 192.168.254.1 appeared on tun0

The only way to get it back to a working state is to restart Strongswan 
so it will start over at tun0.  Any ideas on what I can do to help track 
down where this problem is?

More information about the Dev mailing list