[strongSwan] StrongSwan looses connection when reauthenticating

Stoppel, Uwe uwe at stoppel.name
Fri Aug 30 09:08:10 CEST 2013 

Hello everyone.

I've set up StrongSwan and want to use it for site-to-site VPN and for Road Warriors.

Almost everything works really great, but I'm always running into the issue that my VPN initiators lose connection when reauthentication happens.

My VPN gateway then tells me that it has sent a packet tot he initiators, but this package never seems to arrive there.

All my initiators are behind NAT without a Port forwarding, so this would make sense. However, as I understand it, there should be a way to set up the Gateway so that it never tries to contact the initiators (as they aren't reachable because of NAT).

Here's the Log entry that's generated on the Gateway when reauthenticaing.

Aug 29 19:52:53 03[NET] received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (76 bytes)
Aug 29 19:52:53 03[ENC] parsed INFORMATIONAL request 26 [ D ]
Aug 29 19:52:53 03[IKE] received DELETE for IKE_SA vpn-initiator-vpn-responder[1]
Aug 29 19:52:53 03[IKE] deleting IKE_SA vpn-initiator-vpn-responder[1] between xx.xx.xx.xx[vpn-responder]...yy.yy.yy.yy[vpn-initiator]
Aug 29 19:52:53 03[IKE] IKE_SA deleted
Aug 29 19:52:53 03[ENC] generating INFORMATIONAL response 26 [ ]
Aug 29 19:52:53 03[NET] sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (76 bytes)
Aug 29 19:52:53 01[NET] received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (304 bytes)
Aug 29 19:52:53 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Aug 29 19:52:53 01[IKE] yy.yy.yy.yy is initiating an IKE_SA
Aug 29 19:52:53 01[IKE] remote host is behind NAT
Aug 29 19:52:53 01[IKE] sending cert request for "DC=local, DC=vpn-responder, CN=vpn-responder-CA"
Aug 29 19:52:53 01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Aug 29 19:52:53 01[NET] sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (337 bytes)
Aug 29 19:52:53 11[NET] received packet: from yy.yy.yy.yy[4500] to xx.xx.xx.xx[4500] (300 bytes)
Aug 29 19:52:53 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Aug 29 19:52:53 11[CFG] looking for peer configs matching xx.xx.xx.xx[vpn-responder]...yy.yy.yy.yy[vpn-initiator]
Aug 29 19:52:53 11[CFG] selected peer config 'vpn-initiator-vpn-responder'
Aug 29 19:52:53 11[IKE] authentication of 'vpn-initiator' with pre-shared key successful
Aug 29 19:52:53 11[IKE] peer supports MOBIKE
Aug 29 19:52:53 11[IKE] authentication of 'vpn-responder' (myself) with pre-shared key
Aug 29 19:52:53 11[IKE] IKE_SA vpn-initiator-vpn-responder[2] established between xx.xx.xx.xx[vpn-responder]...yy.yy.yy.yy[vpn-initiator]
Aug 29 19:52:53 11[IKE] CHILD_SA vpn-initiator-vpn-responder{2} established with SPIs c49c3457_i cbea0c57_o and TS 192.168.255.0/24 === 192.168.245.0/24
Aug 29 19:52:53 11[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Aug 29 19:52:53 11[NET] sending packet: from xx.xx.xx.xx[4500] to yy.yy.yy.yy[4500] (220 bytes)

The Gateway is a Debian Wheezy (7.1) with strongswan 5.1.0-1 compiled from source. Here's the config.

conn %default
        ikelifetime=4h
        keylife=2h
        rekeymargin=3m
        keyingtries=10
        keyexchange=ikev2
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        authby=secret
        dpdaction=none
        dpddelay=30s
        dpdtimeout=150s
        inactivity=86400
        rekey=no

conn vpn-initiator-vpn-responder
        left=%defaultroute
        leftsubnet=192.168.255.0/24
        leftid=@vpn-responder
        right=%any
        rightsubnet=192.168.245.0/24
        rightid=@vpn-initiator
        auto=add

My VPN initiator is an OpenWRT ATTITUDE ADJUSTMENT (12.09, r36088) with strongswan 5.0.0-1 installed as a package. Here's the config:

conn %default
        ikelifetime=3h
        keylife=20m
        rekeymargin=3m
        keyingtries=10
        keyexchange=ikev2
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        authby=secret
        dpdaction=restart
        dpddelay=30s
        dpdtimeout=150s
        inactivity=86400
        rekey=yes

conn vpn-initiator-vpn-responder
        left=@defaultroute
        leftsubnet=192.168.245.0/24
        leftid=@vpn-initiator
        leftfirewall=yes
        right=xx.xx.xx.xx
        rightsubnet=192.168.255.0/24
        rightid=@vpn-responder
        auto=start

I also have several Windows 8 IKEv2 Clients which show exactly the same behavoir, I'll leave them out fort he moment fort he sake of simplicity.

I'd highly appreciate any help on that issue.

Kind regards

More information about the Users mailing list