[strongSwan] Rekey between openswan and strongswan
Yatong Cui
yacui at redhat.com
Tue Oct 26 11:55:44 CEST 2010
Hi all,
I've been doing a test between openswan and strongswan. And the Rekey of child_sa(setting the strongswan time counter to a smaller value,openswan time counter to a larger value) isn't successful.
Here is detailed info:
=====================================================
Network TOPO:
-------------
OPENSWAN<========>ROUTER<===========>STRONGSWAN
(RHEL6) (OPENSUSE11.3)
2001:db8:1:1::/64 2001:db8:1:2::/64
Test Case:
----------
OPENSWAN side: configure enough long CHILD_SA lifetime (for example 300s) regardless of SA life type not to be expired before STRONGSWAN.
STRONGSWAN side: configure CHILD_SA lifetime to be expired within short period (for example 30s) regardless of SA life type.
Then STRONGSWAN initiates the connection and send continuous echo packets for more than 1 min.
Configuration
--------------
OPENSWAN side:
----------------------------------------------------------------
[root at OPENSWAN ~]# cat /etc/ipsec.conf
config setup
crlcheckinterval="180"
strictcrlpolicy=no
protostack=netkey
plutodebug=all
conn %default
salifetime=300s
rekeymargin=10s
rekeyfuzz=0%
ike=3des-sha1;modp1024
phase2alg=3des-sha1
authby=secret
ikev2=yes
rekey=yes
conn TAHI
connaddrfamily=ipv6
type=transport
left=2001:db8:1:1:20c:29ff:fe0c:3ed1
right=2001:db8:1:2:20c:29ff:fe45:b04e
leftid=2001:db8:1:1:20c:29ff:fe0c:3ed1
rightid=2001:db8:1:2:20c:29ff:fe45:b04e
auto=add
-------------------------------------------------------------------
STRONGSWAN side:
linux-9deg:~ # cat /etc/ipsec.conf
config setup
crlcheckinterval="180"
strictcrlpolicy=no
charonstart=yes
conn %default
lifetime=30s
margintime=10s
rekeyfuzz=0%
ike=aes-sha1-modp1024
esp=3des-sha1
authby=secret
keyexchange=ikev2
rekey=yes
conn TAHI
right=2001:db8:1:1:20c:29ff:fe0c:3ed1
left=2001:db8:1:2:20c:29ff:fe45:b04e
rightid=2001:db8:1:1:20c:29ff:fe0c:3ed1
leftid=2001:db8:1:2:20c:29ff:fe45:b04e
type=transport
compress=no
auto=add
--------------------------------------------------------------------
Logging info:
The connection can be successful for 20s(lifetime minus margintime). And after that,because the rekey is not successful.
The connection broke down and the echo test wasn't successful.
'ipsec statusall' from strongswan:
-----------------------------------
Status of IKEv2 charon daemon (strongSwan 4.4.0):
uptime: 29 seconds, since Oct 26 05:29:21 2010
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 3
loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl gcrypt fips-prf xcbc hmac agent gmp attr kernel-netlink socket-raw socket-dynamic farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve
Listening IP addresses:
192.168.2.10
2001:db8:1:2:20c:29ff:fe45:b04e
Connections:
TAHI: 2001:db8:1:2:20c:29ff:fe45:b04e...2001:db8:1:1:20c:29ff:fe0c:3ed1
TAHI: local: [2001:db8:1:2:20c:29ff:fe45:b04e] uses pre-shared key authentication
TAHI: remote: [2001:db8:1:1:20c:29ff:fe0c:3ed1] uses any authentication
TAHI: child: dynamic === dynamic
Security Associations:
TAHI[1]: ESTABLISHED 23 seconds ago, 2001:db8:1:2:20c:29ff:fe45:b04e[2001:db8:1:2:20c:29ff:fe45:b04e]...2001:db8:1:1:20c:29ff:fe0c:3ed1[2001:db8:1:1:20c:29ff:fe0c:3ed1]
TAHI[1]: IKE SPIs: b21e1a3b193ad1a5_i* 26461e9385d874db_r, pre-shared key reauthentication in 2 hours
TAHI[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
TAHI{1}: REKEYING, TRANSPORT
TAHI{1}: 2001:db8:1:2:20c:29ff:fe45:b04e/128 === 2001:db8:1:1:20c:29ff:fe0c:3ed1/128
-----------------------------------------------------------------------------------------------
The STRONGSWAN side seems to try to rekey and the rekeying is not successful.
Additional Info:
-----------------
1 This test is successful when setting the OPENSWAN CHILD_SA lifetime to a shorter value and STRONGSWAN CHILD_SA lifetime to a larger value.
2 The rekey between 2 strongswan hosts are successful (setting one side to 30s and the other side to 300s)
Regards & Thanks
Frank
More information about the Users
mailing list