[strongSwan] Understanding debug message and conf question

Karyn Stump karyn at fastsoft.com
Fri Oct 28 20:13:12 CEST 2011 

Hi,

I recently took over this server and am not very familiar with
Strongswan. I have been doing a lot of reading, but still have a lot of
questions. Basically what is happening is three clients, can connect and
stay connected fine (2-XP, Mac OSX) for hours on end, while one (Windows
7), keeps getting disconnected. The Win7 connects fine, stays on for a
while (as much as 48 minutes) but if the connection is up long enough it
gets disconnected. The server side will still show the connection and
Win7 can't reconnect. 

Yesterday I changed the dpdaction from clear to none, but after more log
watching and reading last night I believe that was a mistake. The
dpdtimeout had been set to 1440 (24 minutes) which I now believe should
have been what I changed. I only have 3-4 users (roadwarriors) using
this at various times so that makes troubleshooting even harder. 

The Win7 user noticed that if they disconnected after doing what they
needed they could reconnect without a problem. On the server side I saw
that the connection would completely clear when they did this.

I am struggling with this debug message as I think I may hold some clues
to the problem:

ERROR: asynchronous network error report on eth0 for message to
76.13.9.168 port 4500, complainant 76.13.9.168: Connection refused
[errno 111, origin ICMP type 3 code 3 (not authenticated)]

Who complained the server or the client ? Did the server receive a
message from 76.13.9.168 that had a bad AH ? I'm suspecting that the SAs
are getting out of sync. 

Any other clues to look for would be helpful and appreciated. 

The environment:

Strongswan 4.4.0
Gentoo 2.6.30

Pre-shared keys, IKE v1

Clients: Windows XP, Mac OSX, Windows 7

Ipsec.conf:

config setup
        plutostart=yes
        nat_traversal=yes
        charonstart=no
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:
!172.16.0.0/16
        plutodebug=controlmore

conn psk-server
        authby=secret
        forceencaps=yes
        pfs=no
        rekey=no
        keyingtries=3
        dpdaction=none
        left=98.12.243.9
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        rightsubnet=vhost:%priv,%no
        auto=add
-------------------------------------------------------------------

# strongswan.conf - strongSwan configuration file

charon {

        # number of worker threads in charon
        threads = 16
        dns1=172.16.0.21
        dns2=172.16.0.22

        # plugins to load in charon
        # load = aes des sha1 md5 sha2 hmac gmp random pubkey xcbc x509
stroke

        plugins {

                sql {
                        # loglevel to log into sql database
                        loglevel = -1

                        # URI to the database
                        # database = sqlite:///path/to/file.db
                        # database =
mysql://user:password@localhost/database
                }
        }

        # ...
}

pluto {

        # plugins to load in pluto
        # load = aes des sha1 md5 sha2 hmac gmp random pubkey

}

libstrongswan {

        #  set to no, the DH exponent size is optimized
        #  dh_exponent_ansi_x9_42 = no
}


TIA,

Karyn

--
Karyn Stump
IT Administrator
FastSoft, Inc
karyn at fastsoft.com

More information about the Users mailing list