[strongSwan] Dynamic IP allocation error handling

Rudolf Ladyzhenskii rudolfl at rumatech.com
Tue Jul 24 02:07:56 CEST 2012


Hi, all

I have server and number of road warriors. Road warriors get their IP
assigned from server.
Everything works fine until server hits an error assigning IP address.
I will not go into details of error just yet, but consequences are of
interest.

Road Warrior gets stuck, thinking SA is established.
Here is a output of ipsec statusall when error occurs

Connections:
58.96.102.3_cnc:  10.205.201.67...58.96.102.3, dpddelay=20s
58.96.102.3_cnc:   local:  [C=AU, O=Symstream, OU=RM, CN=612335,
L=Global] uses public key authentication
58.96.102.3_cnc:    cert:  "C=AU, O=Symstream, OU=RM, CN=612335, L=Global"
58.96.102.3_cnc:   remote: [C=AU, O=Symstream, OU=RnD,
CN=vpngw01.symstream.com] uses any authentication
58.96.102.3_cnc:    cert:  "C=AU, O=Symstream, OU=RnD, CN=vpngw01.symstream.com"
58.96.102.3_cnc:   child:  dynamic === 10.5.5.0/24 , dpdaction=restart
Security Associations:
58.96.102.3_cnc[1]: ESTABLISHED 14 minutes ago, 10.205.201.67[C=AU,
O=Symstream, OU=RM, CN=612335, L=Global]...58.96.102.3[C=AU,
O=Symstream, OU=RnD, CN=vpngw01.symstream.com]
58.96.102.3_cnc[1]: IKE SPIs: dfea77e8bdcf433a_i* a0805b2e91a8e404_r,
public key reauthentication in 10 minutes
58.96.102.3_cnc[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024


Same output in normal working state:
Connections:
58.96.102.3_cnc:  10.168.126.25...58.96.102.3, dpddelay=20s
58.96.102.3_cnc:   local:  [C=AU, O=Symstream, OU=RM, CN=612335,
L=Global] uses public key authentication
58.96.102.3_cnc:    cert:  "C=AU, O=Symstream, OU=RM, CN=612335, L=Global"
58.96.102.3_cnc:   remote: [C=AU, O=Symstream, OU=RnD,
CN=vpngw01.symstream.com] uses any authentication
58.96.102.3_cnc:    cert:  "C=AU, O=Symstream, OU=RnD, CN=vpngw01.symstream.com"
58.96.102.3_cnc:   child:  dynamic === 10.5.5.0/24 , dpdaction=restart
Security Associations:
58.96.102.3_cnc[1]: ESTABLISHED 3 seconds ago, 10.168.126.25[C=AU,
O=Symstream, OU=RM, CN=612335, L=Global]...58.96.102.3[C=AU,
O=Symstream, OU=RnD, CN=vpngw01.symstream.com]
58.96.102.3_cnc[1]: IKE SPIs: 4721ee301022433b_i* 1002014087b81351_r,
public key reauthentication in 25 minutes
58.96.102.3_cnc[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
58.96.102.3_cnc{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c11cf842_i cb28248d_o
58.96.102.3_cnc{1}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 46 minutes
58.96.102.3_cnc{1}:   10.4.0.107/32 === 10.5.5.0/24

Addresses on server side are allocated statically (e.q. each road
warrior is assigned an IP address statically). When road warrior
breaks connection (reboots) and tries to re-establish it, server still
keeps old connection information for a while.It does not understand
that same device is connecting again. As a result, server sees that IP
address it meant to serve is in use and generates an error.

Main question is:
When this situation occurs, both ends assume that connection is up. It
is in terms of IPSec, but no traffic can be sent through. Is it
possible to configure client and/or server to tear down the connection
in this condition and try again?

Thanks,
Rudolf




More information about the Users mailing list