[strongSwan] better information on tunnel status

Axel Starck axelstarck134 at gmail.com
Wed Nov 27 21:42:06 CET 2013 

Hi,
I use strongswan to connect to a Juniper Netscreen.
The configuration is below and rather straight forward.
The tunnel is coming up fine.
All we need it for is running an outgoing TCP connection between 2 hosts.
It runs a simple protocol with a linktest packet exchange when the connection is idle.

What we see is an instable connection, meaning no replies to linktests after 20-30min (Linktest runs every 60sec),
then TCP reconnect timeouts for a while until it eventually comes up again.
# strongswan statusall
# ip route list table 220

don't show any problems,
but restarting strongswan usualy clears the problem .

Are there any other ways to determine what the problem is here ?
Or can I assume the problem is at the other end ?
Access to the Juniper side is limited,
so i try to be sure before I point there.

Thanxs
--Axel--



------------------------------------------------------------------------------
[root at rs2 php]# vi /etc/strongswan/strongswan.conf
# strongswan.conf - strongSwan configuration file

charon {
    # number of worker threads in charon
    threads = 16

    # send strongswan vendor ID?
    # send_vendor_id = yes
    filelog {
        /var/log/charon.log {
            # add a timestamp prefix
            time_format = %b %e %T
            # loggers to files also accept the append option to open files in
            # append mode at startup (default is yes)
            append = no
            # the default loglevel for all daemon subsystems (defaults to 1).
            default = 2
            # flush each line to disk
            flush_line = yes
        }
    }
    plugins {

        sql {
                # loglevel to log into sql database
                loglevel = -1

                # URI to the database
                # database = sqlite:///path/to/file.db
                # database = mysql://user:password@localhost/database
        }
    }

    # ...
}

pluto {

}

libstrongswan {
    #  set to no, the DH exponent size is optimized
    #  dh_exponent_ansi_x9_42 = no
}

------------------------------------------------------------------------------
------------------------------------------------------------------------------
[root at rs2 php]# vi /etc/strongswan/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration
config setup
    # strictcrlpolicy=yes
    # uniqueids = no

# Add connections here.
conn juniper
        ike=3des-sha1-modp1024
        esp=3des-sha1-modp1024
        authby=secret
        keyingtries=0
        left=91.xxx.165.136
        leftsubnet=91.xxx.165.136/32
        right=213.xxx.168.7
        rightsubnet=192.168.158.70/32
        compress=no
        auto=start

------------------------------------------------------------------------------
[root at rs2 php]# vi /etc/strongswan/ipsec.secrets
213.xxx.168.7 91.xxx.165.136 : PSK "verysecret"

------------------------------------------------------------------------------
[root at rs2 php]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.0.4, Linux 3.8.13-xxxx-grs-ipv6-64, x86_64):
  uptime: 25 minutes, since Nov 27 19:56:45 2013
  malloc: sbrk 385656, mmap 0, used 275416, free 110240
  worker threads: 6 of 16 idle, 9/1/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon curl aes des sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap dhcp
Listening IP addresses:
  91.xxx.165.136
  2001:41d0:1:e688::1
Connections:
      juniper:  91.xxx.165.136...213.xxx.168.7  IKEv1/2
      juniper:   local:  [91.xxx.165.136] uses pre-shared key authentication
      juniper:   remote: [213.xxx.168.7] uses pre-shared key authentication
      juniper:   child:  91.xxx.165.136/32 === 192.168.158.70/32 TUNNEL
Security Associations (2 up, 0 connecting):
      juniper[2]: ESTABLISHED 25 minutes ago, 91.xxx.165.136[91.xxx.165.136]...213.xxx.168.7[213.xxx.168.7]
      juniper[2]: IKEv1 SPIs: 330e9930641ec931_i 7effcb9e460df315_r*, pre-shared key reauthentication in 2 hours
      juniper[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      juniper{1}:  INSTALLED, TUNNEL, ESP SPIs: c8658827_i e584c299_o
      juniper{1}:  3DES_CBC/HMAC_SHA1_96, 8823 bytes_i (185 pkts, 44s ago), 3253 bytes_o (54 pkts, 104s ago), rekeying in 20 minutes
      juniper{1}:   91.xxx.165.136/32 === 192.168.158.70/32
      juniper[1]: CONNECTING, 91.xxx.165.136[%any]...213.xxx.168.7[%any]
      juniper[1]: IKEv2 SPIs: 203c8d1cdfa944b1_i* 0000000000000000_r
      juniper[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
[root at rs2 php]#

------------------------------------------------------------------------------
[root at rs2 php]# ip route list table 220
192.168.158.70 via 91.xxx.165.254 dev eth0  proto static  src 91.xxx.165.136

More information about the Users mailing list