[strongSwan] StrongSwan looses connection when reauthenticating
Stoppel, Uwe
uwe at stoppel.name
Fri Aug 30 09:08:10 CEST 2013
Hello everyone.
I've set up StrongSwan and want to use it for site-to-site VPN and for Road Warriors.
Almost everything works really great, but I'm always running into the issue that my VPN initiators lose connection when reauthentication happens.
My VPN gateway then tells me that it has sent a packet tot he initiators, but this package never seems to arrive there.
All my initiators are behind NAT without a Port forwarding, so this would make sense. However, as I understand it, there should be a way to set up the Gateway so that it never tries to contact the initiators (as they aren't reachable because of NAT).
Here's the Log entry that's generated on the Gateway when reauthenticaing.
Aug 29 19:52:53 03[NET] received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (76 bytes)
Aug 29 19:52:53 03[ENC] parsed INFORMATIONAL request 26 [ D ]
Aug 29 19:52:53 03[IKE] received DELETE for IKE_SA vpn-initiator-vpn-responder[1]
Aug 29 19:52:53 03[IKE] deleting IKE_SA vpn-initiator-vpn-responder[1] between xx.xx.xx.xx[vpn-responder]...yy.yy.yy.yy[vpn-initiator]
Aug 29 19:52:53 03[IKE] IKE_SA deleted
Aug 29 19:52:53 03[ENC] generating INFORMATIONAL response 26 [ ]
Aug 29 19:52:53 03[NET] sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (76 bytes)
Aug 29 19:52:53 01[NET] received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (304 bytes)
Aug 29 19:52:53 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Aug 29 19:52:53 01[IKE] yy.yy.yy.yy is initiating an IKE_SA
Aug 29 19:52:53 01[IKE] remote host is behind NAT
Aug 29 19:52:53 01[IKE] sending cert request for "DC=local, DC=vpn-responder, CN=vpn-responder-CA"
Aug 29 19:52:53 01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Aug 29 19:52:53 01[NET] sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (337 bytes)
Aug 29 19:52:53 11[NET] received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (300 bytes)
Aug 29 19:52:53 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Aug 29 19:52:53 11[CFG] looking for peer configs matching xx.xx.xx.xx[vpn-responder]...yy.yy.yy.yy[vpn-initiator]
Aug 29 19:52:53 11[CFG] selected peer config 'vpn-initiator-vpn-responder'
Aug 29 19:52:53 11[IKE] authentication of 'vpn-initiator' with pre-shared key successful
Aug 29 19:52:53 11[IKE] peer supports MOBIKE
Aug 29 19:52:53 11[IKE] authentication of 'vpn-responder' (myself) with pre-shared key
Aug 29 19:52:53 11[IKE] IKE_SA vpn-initiator-vpn-responder[2] established between xx.xx.xx.xx[vpn-responder]...yy.yy.yy.yy[vpn-initiator]
Aug 29 19:52:53 11[IKE] CHILD_SA vpn-initiator-vpn-responder{2} established with SPIs c49c3457_i cbea0c57_o and TS 192.168.255.0/24 === 192.168.245.0/24
Aug 29 19:52:53 11[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Aug 29 19:52:53 11[NET] sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (220 bytes)
The Gateway is a Debian Wheezy (7.1) with strongswan 5.1.0-1 compiled from source. Here's the config.
conn %default
ikelifetime=4h
keylife=2h
rekeymargin=3m
keyingtries=10
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
authby=secret
dpdaction=none
dpddelay=30s
dpdtimeout=150s
inactivity=86400
rekey=no
conn vpn-initiator-vpn-responder
left=%defaultroute
leftsubnet=192.168.255.0/24
leftid=@vpn-responder
right=%any
rightsubnet=192.168.245.0/24
rightid=@vpn-initiator
auto=add
My VPN initiator is an OpenWRT ATTITUDE ADJUSTMENT (12.09, r36088) with strongswan 5.0.0-1 installed as a package. Here's the config:
conn %default
ikelifetime=3h
keylife=20m
rekeymargin=3m
keyingtries=10
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
authby=secret
dpdaction=restart
dpddelay=30s
dpdtimeout=150s
inactivity=86400
rekey=yes
conn vpn-initiator-vpn-responder
left=@defaultroute
leftsubnet=192.168.245.0/24
leftid=@vpn-initiator
leftfirewall=yes
right=xx.xx.xx.xx
rightsubnet=192.168.255.0/24
rightid=@vpn-responder
auto=start
I also have several Windows 8 IKEv2 Clients which show exactly the same behavoir, I'll leave them out fort he moment fort he sake of simplicity.
I'd highly appreciate any help on that issue.
Kind regards
More information about the Users
mailing list