[strongSwan] Issue maintaining functioning IKEv1 connection with pluto

Dave Wickham dave at dwickham.me.uk
Tue Dec 4 18:48:06 CET 2012 

Hello,

I appear to be having a problem with maintaining an IKEv1 session with
pluto. I have a strongSwan 4.6.4 client and a 4.5.3 server, both
running on CentOS 6 x86_64, and the client is configured to use mode
config push mode to get a virtual IP.

The issue I'm having seems to usually manifest itself after ~5-10 mins
of being connected, although it can be longer; the SA remains up, I
can see traffic reaching the other end in tcpdump, but no traffic will
actually go onto the Internet (or even the remote strongsSwan server).
I've also noticed that the IP address assigned to my client by the VPN
server has been updated (i.e. running "ip a" on the client shows that
there are now two virtual IPs assigned to the interface, the
originally assigned one and a new one). There's quite a lot of
activity from pluto logged to /var/log/secure when this happens, with
some relevant lines looking like:

Nov 19 17:21:29 hostname pluto[2578]: "gateway" #3: parsing ModeCfg set
Nov 19 17:21:29 hostname pluto[2578]: "gateway" #3: replacing virtual
IP source address <ip A> by <ip B>
Nov 19 17:21:29 hostname pluto[2578]: installing DNS server <VPN
server internal IP> to /etc/resolv.conf
Nov 19 17:21:29 hostname pluto[2578]: handling UNITY_BANNER attribute failed
Nov 19 17:21:29 hostname pluto[2578]: "gateway" #3: sending ModeCfg ack
Nov 19 17:21:29 hostname pluto[2578]: | inserting event
EVENT_SA_EXPIRE, timeout in 10800 seconds for #3
Nov 19 17:21:29 hostname pluto[2578]: "gateway" #3: sent ModeCfg ack,
established
[...]
Nov 19 17:21:29 hostname pluto[2578]: | eroute_connection replace
eroute 0.0.0.0/0:0 -> <ip B>/32:0 => tun.0 at 192.168.100.50:0
Nov 19 17:21:29 hostname pluto[2578]: deleting policy 0.0.0.0/0 ===
<ip B>/32 in failed, not found
Nov 19 17:21:29 hostname pluto[2578]: deleting policy 0.0.0.0/0 ===
<ip B>/32 fwd failed, not found
Nov 19 17:21:29 hostname pluto[2578]: | eroute_connection replace
eroute <ip B>/32:0 -> 0.0.0.0/0:0 => tun.0 at 85.115.41.170:0
Nov 19 17:21:29 hostname pluto[2578]: deleting policy <ip B>/32 ===
0.0.0.0/0 out failed, not found

(I've stripped out the hostname, and replaced some IP addresses.)

There is another, quite possibly related issue that I'm also having,
where bringing down the tunnel with "ipsec stop" doesn't remove the
assigned virtual IP address from the interface used for the VPN.

This occurs with both self-built and EPEL RPMs of strongSwan 4.6.4.

Does anyone have any idea what may be causing this? From looking back
at ML archives, it looks like I'm the only one who's had this problem,
but I can reproduce it on different hosts.

Regards,
-Dave

## BEGIN ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration

config setup
    plutodebug=control
    charonstart=no
    uniqueids=yes
    nat_traversal=yes

# Add connections here.
conn gateway
    keyexchange=ikev1
    left=%defaultroute
    leftcert=<cert name>
    leftsourceip=%config
    right=<ip>
    rightcert=<right certificate>
    rightid=%any
    rightsubnet=0.0.0.0/0
    pfs=no
    modeconfig=push
    auto=start
## END ipsec.conf

More information about the Users mailing list