[strongSwan-dev] Strongswan 5.3, IKEv2 & "make before break" - losing DNS configuration on Initiator after IKE lifetime expires
Ken Nelson
ken at cazena.com
Mon Nov 16 17:16:19 CET 2015
Can someone please reply to this? Here are the questions:
1. How to prevent Charon from removing the name server configuration from /etc/resolv.conf in the IKA_SA re-authentication case?
2. Why does the up/down script get invoked during IKE_SA re-authentication? When “make before break” is enabled, the up/down script invocation seems backward/awkward. That is, up/down is invoked with an ‘up’ notification at the initial establishment of the tunnel, then again with a second ‘up’ notification during the “make before break”, then finally with a ‘down’ notification even though the tunnel is up?!?
VPN up/down notifications from Initiator’s /var/log/messages:
Nov 11 17:24:54 initiator vpn: + responder.domain.com<http://responder.domain.com/> 10.8.192.0/19 == re.sp.on.der -- 10.0.1.36 == 10.255.252.2/32
Nov 11 20:02:52 initiator vpn: + responder.domain.com<http://responder.domain.com/> 10.8.192.0/19 == re.sp.on.der -- 10.0.1.36 == 10.255.252.2/32
Nov 11 20:02:52 initiator vpn: - responder.domain.com<http://responder.domain.com/> 10.8.192.0/19 == re.sp.on.der -- 10.0.1.36 == 10.255.252.2/32
3. Aside: why does /usr/libexec/strongswan/_updown fail to find iptables?
On Nov 12, 2015, at 10:53 AM, Ken Nelson <ken at cazena.com<mailto:ken at cazena.com>> wrote:
Configuration
* StrongSwan version 5.3.0 on Centos 6.6 for both Initiator & Responder.
* In /etc/strongswan/strongswan.d/charon.conf, set “make_before_break = yes” on both Initiator and Responder (responder also has cisco_unity = yes, but that should not be relevant).
* In /etc/strongswan/strongswan.d/charon/resolv.conf, set “file = /etc/resolv.conf” on Initiator only.
* Using the default up/down script, /usr/libexec/strongswan/_updown
Problem
Initiator establishes an IKEv2 tunnel with the Responder which operates correctly until the first “reauthenticating IKE_SA” event occurs, i.e. IKE lifetime expires. Using the default value for ikelifetime so this occurs 2.5 - 3 hours after initial tunnel establishment. After re-authentication completes, the tunnel continues to work correctly except that DNS is now incorrectly configured on the Initiator, causing DNS name resolution failure.
Details
/etc/resolv.conf on the Initiator after the tunnel is established, 10.8.194.96 is the correct DNS nameserver. Note there’s a minor configuration bug on the Responder in that it sends the nameserver configuration twice, this does not seem to cause any operational problems.
[myaccount at initiator ~]$ cat /etc/resolv.conf
search domain.internal # by edm-start-ipsec on Thu Nov 12 11:35:41 EST 2015
nameserver 10.8.194.96 # by strongSwan, from responder.domain.com<http://responder.domain.com/>
nameserver 10.8.194.96 # by strongSwan, from responder.domain.com<http://responder.domain.com/>
; generated by /sbin/dhclient-script
nameserver 10.0.1.1
/var/log/messages on the Initiator during IKA_SA re-authentication (timezone is EST):
Nov 11 20:02:51 initiator charon: 07[IKE] reauthenticating IKE_SA dm-psk[1]
Nov 11 20:02:51 initiator charon: 07[IKE] installing new virtual IP 10.255.252.2
Nov 11 20:02:51 initiator charon: 07[IKE] initiating IKE_SA dm-psk[2] to re.sp.on.der
Nov 11 20:02:51 initiator charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Nov 11 20:02:51 initiator charon: 07[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (1436 bytes)
Nov 11 20:02:51 initiator charon: 04[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (456 bytes)
Nov 11 20:02:51 initiator charon: 04[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Nov 11 20:02:51 initiator charon: 04[IKE] local host is behind NAT, sending keep alives
Nov 11 20:02:51 initiator charon: 04[IKE] remote host is behind NAT
Nov 11 20:02:51 initiator charon: 04[IKE] authentication of 'my-user' (myself) with pre-shared key
Nov 11 20:02:51 initiator charon: 04[IKE] establishing CHILD_SA dm-psk
Nov 11 20:02:51 initiator charon: 04[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(AUTH_FOLLOWS) ]
Nov 11 20:02:51 initiator charon: 04[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (428 bytes)
Nov 11 20:02:51 initiator charon: 06[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (124 bytes)
Nov 11 20:02:51 initiator charon: 06[ENC] parsed IKE_AUTH response 1 [ IDr AUTH ]
Nov 11 20:02:51 initiator charon: 06[IKE] authentication of 'responder.domain.com<http://responder.domain.com/>' with pre-shared key successful
Nov 11 20:02:51 initiator charon: 06[ENC] generating IKE_AUTH request 2 [ IDi ]
Nov 11 20:02:51 initiator charon: 06[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (76 bytes)
Nov 11 20:02:51 initiator charon: 13[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (92 bytes)
Nov 11 20:02:51 initiator charon: 13[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/GTC ]
Nov 11 20:02:51 initiator charon: 13[IKE] server requested EAP_GTC authentication (id 0x79)
Nov 11 20:02:51 initiator charon: 13[ENC] generating IKE_AUTH request 3 [ EAP/RES/GTC ]
Nov 11 20:02:51 initiator charon: 13[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (92 bytes)
Nov 11 20:02:51 initiator charon: 09[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (76 bytes)
Nov 11 20:02:51 initiator charon: 09[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]
Nov 11 20:02:51 initiator charon: 09[IKE] EAP method EAP_GTC succeeded, no MSK established
Nov 11 20:02:51 initiator charon: 09[IKE] authentication of 'my-user' (myself) with EAP
Nov 11 20:02:51 initiator charon: 09[ENC] generating IKE_AUTH request 4 [ AUTH ]
Nov 11 20:02:51 initiator charon: 09[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (92 bytes)
Nov 11 20:02:52 initiator charon: 15[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (300 bytes)
Nov 11 20:02:52 initiator charon: 15[ENC] parsed IKE_AUTH response 4 [ AUTH CPRP(ADDR U_SPLITINC U_LOCALLAN DNS U_DEFDOM DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Nov 11 20:02:52 initiator charon: 15[IKE] authentication of 'responder.domain.com<http://responder.domain.com/>' with EAP successful
Nov 11 20:02:52 initiator charon: 15[IKE] IKE_SA dm-psk[2] established between 10.0.1.36[my-user]...re.sp.on.der[responder.domain.com<http://responder.domain.com/>]
Nov 11 20:02:52 initiator charon: 15[IKE] scheduling reauthentication in 10092s
Nov 11 20:02:52 initiator charon: 15[IKE] maximum IKE_SA lifetime 10632s
Nov 11 20:02:52 initiator charon: 15[CFG] handling UNITY_SPLIT_INCLUDE attribute failed
Nov 11 20:02:52 initiator charon: 15[CFG] handling UNITY_LOCAL_LAN attribute failed
Nov 11 20:02:52 initiator charon: 15[IKE] installing DNS server 10.8.194.96 to /etc/resolv.conf
Nov 11 20:02:52 initiator charon: 15[CFG] handling UNITY_DEF_DOMAIN attribute failed
Nov 11 20:02:52 initiator charon: 15[IKE] installing DNS server 10.8.194.96 to /etc/resolv.conf
Nov 11 20:02:52 initiator charon: 15[IKE] installing new virtual IP 10.255.252.2
Nov 11 20:02:52 initiator charon: 15[IKE] CHILD_SA dm-psk{5} established with SPIs ce54cd29_i 759cb598_o and TS 10.255.252.2/32 === 10.8.192.0/19
Nov 11 20:02:52 initiator charon: 15[CHD] updown: /usr/libexec/strongswan/_updown: line 300: iptables: command not found
Nov 11 20:02:52 initiator charon: 15[CHD] updown: /usr/libexec/strongswan/_updown: line 303: iptables: command not found
Nov 11 20:02:52 initiator charon: 15[CHD] updown: /usr/libexec/strongswan/_updown: line 312: iptables: command not found
Nov 11 20:02:52 initiator charon: 15[CHD] updown: /usr/libexec/strongswan/_updown: line 315: iptables: command not found
Nov 11 20:02:52 initiator vpn: + responder.domain.com<http://responder.domain.com/> 10.8.192.0/19 == re.sp.on.der -- 10.0.1.36 == 10.255.252.2/32
Nov 11 20:02:52 initiator charon: 15[IKE] received AUTH_LIFETIME of 9930s, scheduling reauthentication in 9390s
Nov 11 20:02:52 initiator charon: 15[IKE] peer supports MOBIKE
Nov 11 20:02:52 initiator charon: 10[IKE] deleting IKE_SA dm-psk[1] between 10.0.1.36[my-user]...re.sp.on.der[responder.domain.com<http://responder.domain.com/>]
Nov 11 20:02:52 initiator charon: 10[IKE] sending DELETE for IKE_SA dm-psk[1]
Nov 11 20:02:52 initiator charon: 10[ENC] generating INFORMATIONAL request 12 [ D ]
Nov 11 20:02:52 initiator charon: 10[NET] sending packet: from 10.0.1.36[4500] to re.sp.on.der[4500] (76 bytes)
Nov 11 20:02:52 initiator charon: 14[NET] received packet: from re.sp.on.der[4500] to 10.0.1.36[4500] (76 bytes)
Nov 11 20:02:52 initiator charon: 14[ENC] parsed INFORMATIONAL response 12 [ ]
Nov 11 20:02:52 initiator charon: 14[IKE] IKE_SA deleted
Nov 11 20:02:52 initiator charon: 14[CHD] updown: /usr/libexec/strongswan/_updown: line 348: iptables: command not found
Nov 11 20:02:52 initiator charon: 14[CHD] updown: /usr/libexec/strongswan/_updown: line 352: iptables: command not found
Nov 11 20:02:52 initiator charon: 14[CHD] updown: /usr/libexec/strongswan/_updown: line 362: iptables: command not found
Nov 11 20:02:52 initiator charon: 14[CHD] updown: /usr/libexec/strongswan/_updown: line 366: iptables: command not found
Nov 11 20:02:52 initiator vpn: - responder.domain.com<http://responder.domain.com/> 10.8.192.0/19 == re.sp.on.der -- 10.0.1.36 == 10.255.252.2/32
Nov 11 20:02:52 initiator charon: 14[IKE] removing DNS server 10.8.194.96 from /etc/resolv.conf
Nov 11 20:02:52 initiator charon: 14[IKE] removing DNS server 10.8.194.96 from /etc/resolv.conf
Nov 11 20:02:52 initiator charon: 14[IKE] removing DNS server 10.8.194.96 from /etc/resolv.conf
Nov 11 20:02:52 initiator charon: 14[IKE] removing DNS server 10.8.194.96 from /etc/resolv.conf
Nov 11 20:03:15 initiator charon: 11[IKE] sending keep alive to re.sp.on.der[4500]
Nov 11 20:03:22 initiator charon: 04[IKE] sending DPD request
/etc/resolv.conf on the Initiator after IKA_SA re-authentication competes. Charon removed the name server configuration at datestamp “Nov 11 20:02:52 in the Initiator log above.
[myaccount at initiator ~]$ cat /etc/resolv.conf
search domain.internal # by edm-start-ipsec on Wed Nov 11 17:24:56 EST 2015
; generated by /sbin/dhclient-script
nameserver 10.0.1.1
/var/log/messages on the Responder during IKE_SA re-authentication (timezone is UTC):
Nov 12 01:02:53 responder charon: 08[NET] received packet: from ini.ti.at.or[40720] to 10.8.193.69[4500] (1436 bytes)
Nov 12 01:02:53 responder charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Nov 12 01:02:53 responder charon: 08[IKE] ini.ti.at.or is initiating an IKE_SA
Nov 12 01:02:53 responder charon: 08[IKE] local host is behind NAT, sending keep alives
Nov 12 01:02:53 responder charon: 08[IKE] remote host is behind NAT
Nov 12 01:02:53 responder charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Nov 12 01:02:53 responder charon: 08[NET] sending packet: from 10.8.193.69[4500] to ini.ti.at.or[40720] (456 bytes)
Nov 12 01:02:53 responder charon: 15[NET] received packet: from ini.ti.at.or[40720] to 10.8.193.69[4500] (428 bytes)
Nov 12 01:02:53 responder charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(AUTH_FOLLOWS) ]
Nov 12 01:02:53 responder charon: 15[CFG] looking for peer configs matching 10.8.193.69[responder.domain.com<http://responder.domain.com/>]...ini.ti.at.or[my-user]
Nov 12 01:02:53 responder charon: 15[CFG] selected peer config 'endpoints'
Nov 12 01:02:53 responder charon: 15[IKE] authentication of 'my-user' with pre-shared key successful
Nov 12 01:02:53 responder charon: 15[CFG] constraint requires public key authentication, but pre-shared key was used
Nov 12 01:02:53 responder charon: 15[CFG] selected peer config 'endpoints' inacceptable: non-matching authentication done
Nov 12 01:02:53 responder charon: 15[CFG] switching to peer config 'rw-ikev2-psk'
Nov 12 01:02:53 responder charon: 15[IKE] peer supports MOBIKE
Nov 12 01:02:53 responder charon: 15[IKE] authentication of 'responder.domain.com<http://responder.domain.com/>' (myself) with pre-shared key
Nov 12 01:02:53 responder charon: 15[ENC] generating IKE_AUTH response 1 [ IDr AUTH ]
Nov 12 01:02:53 responder charon: 15[NET] sending packet: from 10.8.193.69[4500] to ini.ti.at.or[40720] (124 bytes)
Nov 12 01:02:53 responder charon: 10[NET] received packet: from ini.ti.at.or[40720] to 10.8.193.69[4500] (76 bytes)
Nov 12 01:02:53 responder charon: 10[ENC] parsed IKE_AUTH request 2 [ IDi ]
Nov 12 01:02:53 responder charon: 10[IKE] initiating EAP_GTC method (id 0x79)
Nov 12 01:02:53 responder charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/GTC ]
Nov 12 01:02:53 responder charon: 10[NET] sending packet: from 10.8.193.69[4500] to ini.ti.at.or[40720] (92 bytes)
Nov 12 01:02:53 responder charon: 12[NET] received packet: from ini.ti.at.or[40720] to 10.8.193.69[4500] (92 bytes)
Nov 12 01:02:53 responder charon: 12[ENC] parsed IKE_AUTH request 3 [ EAP/RES/GTC ]
Nov 12 01:02:54 responder charon: 12[IKE] PAM authentication of 'my-user' successful
Nov 12 01:02:54 responder charon: 12[IKE] EAP method EAP_GTC succeeded, no MSK established
Nov 12 01:02:54 responder charon: 12[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Nov 12 01:02:54 responder charon: 12[NET] sending packet: from 10.8.193.69[4500] to ini.ti.at.or[40720] (76 bytes)
Nov 12 01:02:54 responder charon: 13[NET] received packet: from ini.ti.at.or[40720] to 10.8.193.69[4500] (92 bytes)
Nov 12 01:02:54 responder charon: 13[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Nov 12 01:02:54 responder charon: 13[IKE] authentication of 'my-user' with EAP successful
Nov 12 01:02:54 responder charon: 13[IKE] authentication of 'responder.domain.com<http://responder.domain.com/>' (myself) with EAP
Nov 12 01:02:54 responder charon: 13[IKE] IKE_SA rw-ikev2-psk[4] established between 10.8.193.69[responder.domain.com<http://responder.domain.com/>]...ini.ti.at.or[my-user]
Nov 12 01:02:54 responder charon: 13[IKE] scheduling reauthentication in 9930s
Nov 12 01:02:54 responder charon: 13[IKE] maximum IKE_SA lifetime 10470s
Nov 12 01:02:54 responder charon: 13[IKE] peer requested virtual IP 10.255.252.2
Nov 12 01:02:54 responder charon: 13[CFG] reassigning online lease to 'my-user'
Nov 12 01:02:54 responder charon: 13[IKE] assigning virtual IP 10.255.252.2 to peer 'my-user'
Nov 12 01:02:54 responder charon: 13[IKE] CHILD_SA rw-ikev2-psk{7} established with SPIs 759cb598_i ce54cd29_o and TS 10.8.192.0/19 === 10.255.252.2/32
Nov 12 01:02:54 responder vpn: + my-user 10.255.252.2/32 == ini.ti.at.or -- 10.8.193.69 == 10.8.192.0/19
Nov 12 01:02:54 responder charon: 13[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR U_SPLITINC U_LOCALLAN DNS U_DEFDOM DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Nov 12 01:02:54 responder charon: 13[NET] sending packet: from 10.8.193.69[4500] to ini.ti.at.or[40720] (300 bytes)
Nov 12 01:02:54 responder charon: 11[NET] received packet: from ini.ti.at.or[40720] to 10.8.193.69[4500] (76 bytes)
Nov 12 01:02:54 responder charon: 11[ENC] parsed INFORMATIONAL request 12 [ D ]
Nov 12 01:02:54 responder charon: 11[IKE] received DELETE for IKE_SA rw-ikev2-psk[3]
Nov 12 01:02:54 responder charon: 11[IKE] deleting IKE_SA rw-ikev2-psk[3] between 10.8.193.69[responder.domain.com<http://responder.domain.com/>]...ini.ti.at.or[my-user]
Nov 12 01:02:54 responder charon: 11[IKE] IKE_SA deleted
Nov 12 01:02:54 responder vpn: - my-user 10.255.252.2/32 == ini.ti.at.or -- 10.8.193.69 == 10.8.192.0/19
Nov 12 01:02:54 responder charon: 11[ENC] generating INFORMATIONAL response 12 [ ]
Nov 12 01:02:54 responder charon: 11[NET] sending packet: from 10.8.193.69[4500] to ini.ti.at.or[40720] (76 bytes)
Questions
1. How to prevent Charon from removing the name server configuration from /etc/resolv.conf in the IKA_SA re-authentication case?
2. Why does the up/down script get invoked during IKE_SA re-authentication? When “make before break” is enabled, the up/down script invocation seems backward/awkward. That is, up/down is invoked with an ‘up’ notification at the initial establishment of the tunnel, then again with a second ‘up’ notification during the “make before break”, then finally with a ‘down’ notification even though the tunnel is up?!?
VPN up/down notifications from Initiator’s /var/log/messages:
Nov 11 17:24:54 initiator vpn: + responder.domain.com<http://responder.domain.com/> 10.8.192.0/19 == re.sp.on.der -- 10.0.1.36 == 10.255.252.2/32
Nov 11 20:02:52 initiator vpn: + responder.domain.com<http://responder.domain.com/> 10.8.192.0/19 == re.sp.on.der -- 10.0.1.36 == 10.255.252.2/32
Nov 11 20:02:52 initiator vpn: - responder.domain.com<http://responder.domain.com/> 10.8.192.0/19 == re.sp.on.der -- 10.0.1.36 == 10.255.252.2/32
3. Aside: why does /usr/libexec/strongswan/_updown fail to find iptables?
_______________________________________________
Dev mailing list
Dev at lists.strongswan.org<mailto:Dev at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20151116/290c9def/attachment-0001.html>
More information about the Dev
mailing list