[strongSwan] client network change drops VPN
Jay Claybaugh
gambit990 at gmail.com
Sat Jul 6 01:37:15 CEST 2013
I have a client android phone connecting to a FreeBSD 9.1 server running
strongSwan 5.0.4. The client successfully establishes a VPN connection
with the server over either a wireless or cellular network.
However, once the VPN is established, if the client changes from one
network to the other, the VPN connection does not survive. Below is the
server log which shows a couple of "issues"
1 -- "UDP_ENCAP: Invalid argument" I'm not sure if that is relevant
2 -- "[KNL] unable to update SAD entry with SPI c48960bf: address changes
are not supported" This sounds like an issue but it seems like with MOBIKE
supported, address changes should be allowed. The Android client's log
contains the statemen:
"[IKE] requesting address change using MOBIKE"
Is there an option or configuration setting for strongswan on FreeBSD that
is necessary in order for MOBIKE to work?
[server strongSwan log]
Jul 5 18:43:48 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4,
FreeBSD 9.1-RELEASE, i386)
Jul 5 18:43:48 00[KNL] unable to set UDP_ENCAP: Invalid argument
Jul 5 18:43:48 00[NET] enabling UDP decapsulation for IPv6 on port 4500
failed
Jul 5 18:43:48 00[CFG] loading ca certificates
from '/usr/local/etc/ipsec.d/cacerts'
Jul 5 18:43:48 00[CFG] loaded ca certificate "C=US, ST=Florida,
L=Melbourne, O=Home, CN=Claybaug CA"
from '/usr/local/etc/ipsec.d/cacerts/root-ca.crt'
Jul 5 18:43:48 00[CFG] loading aa certificates
from '/usr/local/etc/ipsec.d/aacerts'
Jul 5 18:43:48 00[CFG] loading ocsp signer certificates
from '/usr/local/etc/ipsec.d/ocspcerts'
Jul 5 18:43:48 00[CFG] loading attribute certificates
from '/usr/local/etc/ipsec.d/acerts'
Jul 5 18:43:48 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Jul 5 18:43:48 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jul 5 18:43:48 00[CFG] loaded RSA private key
from '/usr/local/etc/ipsec.d/private/home.pem'
Jul 5 18:43:48 00[CFG] loaded IKE secret for %any
Jul 5 18:43:48 00[DMN] loaded plugins: charon aes des sha1 sha2 md4 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem
fips-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-
default stroke updown eap-identity eap-gtc eap-mschapv2 xauth-generic xauth-
pam
Jul 5 18:43:48 00[JOB] spawning 16 worker threads
Jul 5 18:43:48 06[CFG] received stroke: add connection 'Android'
Jul 5 18:43:48 06[CFG] adding virtual IP address pool 192.168.6.0/24
Jul 5 18:43:48 06[CFG] loaded certificate "C=US, ST=Florida, O=Home,
CN=Testing" from 'home.pem'
Jul 5 18:43:48 06[CFG] added configuration 'Android'
[server initialized]
Jul 5 19:20:34 15[NET] received packet: from 192.168.4.103[50478] to
50.88.238.194[500] (648 bytes)
Jul 5 19:20:34 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N
(NATD_S_IP) N(NATD_D_IP) ]
Jul 5 19:20:34 15[IKE] 192.168.4.103 is initiating an IKE_SA
Jul 5 19:20:34 15[IKE] remote host is behind NAT
Jul 5 19:20:34 15[IKE] sending cert request for "C=US, ST=Florida,
L=Melbourne, O=Home, CN=Claybaug CA"
Jul 5 19:20:34 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N
(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 5 19:20:34 15[NET] sending packet: from 50.88.238.194[500] to
192.168.4.103[50478] (465 bytes)
Jul 5 19:20:34 11[NET] received packet: from 192.168.4.103[43874] to
50.88.238.194[4500] (1804 bytes)
Jul 5 19:20:34 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT N
(INIT_CONTACT) CERTREQ AUTH CP(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi
TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jul 5 19:20:34 11[IKE] received cert request for "C=US, ST=Florida,
L=Melbourne, O=Home, CN=Claybaug CA"
Jul 5 19:20:34 11[IKE] received end entity cert "C=US, ST=Florida, O=Home,
CN=Testing"
Jul 5 19:20:34 11[CFG] looking for peer configs matching 50.88.238.194[%
any]...192.168.4.103[C=US, ST=Florida, O=Home, CN=Testing]
Jul 5 19:20:34 11[CFG] selected peer config 'Android'
Jul 5 19:20:34 11[CFG] using trusted ca certificate "C=US, ST=Florida,
L=Melbourne, O=Home, CN=Claybaug CA"
Jul 5 19:20:34 11[CFG] checking certificate status of "C=US, ST=Florida,
O=Home, CN=Testing"
Jul 5 19:20:34 11[CFG] certificate status is not available
Jul 5 19:20:34 11[CFG] reached self-signed root ca with a path length of
0
Jul 5 19:20:34 11[CFG] using trusted certificate "C=US, ST=Florida,
O=Home, CN=Testing"
Jul 5 19:20:34 11[IKE] authentication of 'C=US, ST=Florida, O=Home,
CN=Testing' with RSA signature successful
Jul 5 19:20:34 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using
ESPv3 TFC padding
Jul 5 19:20:34 11[IKE] peer supports MOBIKE
Jul 5 19:20:34 11[IKE] authentication of '50.88.238.194' (myself) with RSA
signature successful
Jul 5 19:20:34 11[IKE] IKE_SA Android[3] established between 50.88.238.194
[50.88.238.194]...192.168.4.103[C=US, ST=Florida, O=Home, CN=Testing]
Jul 5 19:20:34 11[IKE] sending end entity cert "C=US, ST=Florida, O=Home,
CN=Testing"
Jul 5 19:20:34 11[IKE] peer requested virtual IP %any
Jul 5 19:20:34 11[CFG] reassigning offline lease to 'C=US, ST=Florida,
O=Home, CN=Testing'
Jul 5 19:20:34 11[IKE] assigning virtual IP 192.168.6.1 to peer 'C=US,
ST=Florida, O=Home, CN=Testing'
Jul 5 19:20:34 11[IKE] peer requested virtual IP %any6
Jul 5 19:20:34 11[IKE] no virtual IP found for %any6 requested by 'C=US,
ST=Florida, O=Home, CN=Testing'
Jul 5 19:20:34 11[IKE] CHILD_SA Android{3} established with SPIs
c48960bf_i 8a279d4e_o and TS 0.0.0.0/0 === 192.168.6.1/32
Jul 5 19:20:34 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP
(ADDR DNS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Jul 5 19:20:34 11[NET] sending packet: from 50.88.238.194[4500] to
192.168.4.103[43874] (1452 bytes)
[Client switch from wireless network to cellular network]
Jul 5 19:20:45 06[NET] received packet: from 66.87.123.108[8421] to
50.88.238.194[4500] (76 bytes)
Jul 5 19:20:45 06[ENC] parsed INFORMATIONAL request 2 [ ]
Jul 5 19:20:45 06[ENC] generating INFORMATIONAL response 2 [ ]
Jul 5 19:20:45 06[NET] sending packet: from 50.88.238.194[4500] to
66.87.123.108[8421] (76 bytes)
Jul 5 19:20:45 07[NET] received packet: from 66.87.123.108[8421] to
50.88.238.194[4500] (172 bytes)
Jul 5 19:20:45 07[ENC] parsed INFORMATIONAL request 3 [ N(UPD_SA_ADDR) N
(NATD_S_IP) N(NATD_D_IP) N(COOKIE2) N(NO_ADD_ADDR) ]
Jul 5 19:20:45 07[KNL] unable to update SAD entry with SPI c48960bf:
address changes are not supported
Jul 5 19:20:45 07[IKE] establishing CHILD_SA Android{3}
Jul 5 19:20:45 07[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) N
(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 5 19:20:45 07[NET] sending packet: from 50.88.238.194[4500] to
66.87.123.108[8421] (348 bytes)
Jul 5 19:20:45 07[ENC] generating INFORMATIONAL response 3 [ N(NATD_S_IP) N
(NATD_D_IP) N(COOKIE2) ]
Jul 5 19:20:45 07[NET] sending packet: from 50.88.238.194[4500] to
66.87.123.108[8421] (156 bytes)
Jul 5 19:20:45 10[NET] received packet: from 66.87.123.108[8421] to
50.88.238.194[4500] (204 bytes)
Jul 5 19:20:45 10[ENC] parsed CREATE_CHILD_SA response 0 [ N
(ESP_TFC_PAD_N) SA No TSi TSr ]
Jul 5 19:20:45 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using
ESPv3 TFC padding
Jul 5 19:20:45 10[IKE] CHILD_SA Android{3} established with SPIs
c0c9ac5e_i 0b594b0f_o and TS 0.0.0.0/0 === 192.168.6.1/32
Jul 5 19:20:45 10[KNL] received PF_KEY message with unexpected sequence
number, was 0 expected 51
Jul 5 19:20:45 10[KNL] received PF_KEY message with unexpected sequence
number, was 0 expected 53
Jul 5 19:20:45 10[IKE] closing CHILD_SA Android{3} with SPIs c48960bf_i
(162 bytes) 8a279d4e_o (288 bytes) and TS 0.0.0.0/0 === 192.168.6.1/32
Jul 5 19:20:45 10[IKE] sending DELETE for ESP CHILD_SA with SPI c48960bf
Jul 5 19:20:45 10[ENC] generating INFORMATIONAL request 1 [ D ]
Jul 5 19:20:45 10[NET] sending packet: from 50.88.238.194[4500] to
66.87.123.108[8421] (76 bytes)
Jul 5 19:20:45 12[NET] received packet: from 66.87.123.108[8421] to
50.88.238.194[4500] (76 bytes)
Jul 5 19:20:45 12[ENC] parsed INFORMATIONAL response 1 [ D ]
Jul 5 19:20:45 12[IKE] received DELETE for ESP CHILD_SA with SPI 8a279d4e
Jul 5 19:20:45 12[IKE] CHILD_SA closed
Jul 5 19:20:46 03[KNL] creating acquire job for policy 50.88.238.194/32
[255] === 192.168.4.103/32[255] with reqid {3}
Jul 5 19:20:46 14[CFG] trap not found, unable to acquire reqid 3
Jul 5 19:20:52 15[NET] received packet: from 66.87.123.108[8421] to
50.88.238.194[4500] (76 bytes)
Jul 5 19:20:52 15[ENC] parsed INFORMATIONAL request 4 [ D ]
Jul 5 19:20:52 15[IKE] received DELETE for IKE_SA Android[3]
Jul 5 19:20:52 15[IKE] deleting IKE_SA Android[3] between 50.88.238.194
[50.88.238.194]...66.87.123.108[C=US, ST=Florida, O=Home, CN=Testing]
Jul 5 19:20:52 15[IKE] IKE_SA deleted
Jul 5 19:20:52 15[ENC] generating INFORMATIONAL response 4 [ ]
Jul 5 19:20:52 15[NET] sending packet: from 50.88.238.194[4500] to
66.87.123.108[8421] (76 bytes)
Jul 5 19:20:52 15[CFG] lease 192.168.6.1 by 'C=US, ST=Florida, O=Home,
CN=Testing' went offline
More information about the Users
mailing list