[strongSwan] better information on tunnel status

Pawel Grzesik pawel.grzesik at brainstorm.co.uk
Wed Nov 27 22:43:14 CET 2013 

Hi Axel,

It’s better to use auto=route instead of auto=start. Tunnel will be up only if it need to be because of the packets. Sometimes this can be a problem.
Debug mode can help you, as I remember you can set it on 3 or 4. Please check on the documentation.

Thanks,
Pawel Grzesik


On 27 Nov 2013, at 20:42, Axel Starck <axelstarck134 at gmail.com> wrote:

> 
> Hi,
> I use strongswan to connect to a Juniper Netscreen.
> The configuration is below and rather straight forward.
> The tunnel is coming up fine.
> All we need it for is running an outgoing TCP connection between 2 hosts.
> It runs a simple protocol with a linktest packet exchange when the connection is idle.
> 
> What we see is an instable connection, meaning no replies to linktests after 20-30min (Linktest runs every 60sec),
> then TCP reconnect timeouts for a while until it eventually comes up again.
> # strongswan statusall
> # ip route list table 220
> 
> don't show any problems,
> but restarting strongswan usualy clears the problem .
> 
> Are there any other ways to determine what the problem is here ?
> Or can I assume the problem is at the other end ?
> Access to the Juniper side is limited,
> so i try to be sure before I point there.
> 
> Thanxs
> --Axel--
> 
> 
> 
> ------------------------------------------------------------------------------
> [root at rs2 php]# vi /etc/strongswan/strongswan.conf
> # strongswan.conf - strongSwan configuration file
> 
> charon {
>    # number of worker threads in charon
>    threads = 16
> 
>    # send strongswan vendor ID?
>    # send_vendor_id = yes
>    filelog {
>        /var/log/charon.log {
>            # add a timestamp prefix
>            time_format = %b %e %T
>            # loggers to files also accept the append option to open files in
>            # append mode at startup (default is yes)
>            append = no
>            # the default loglevel for all daemon subsystems (defaults to 1).
>            default = 2
>            # flush each line to disk
>            flush_line = yes
>        }
>    }
>    plugins {
> 
>        sql {
>                # loglevel to log into sql database
>                loglevel = -1
> 
>                # URI to the database
>                # database = sqlite:///path/to/file.db
>                # database = mysql://user:password@localhost/database
>        }
>    }
> 
>    # ...
> }
> 
> pluto {
> 
> }
> 
> libstrongswan {
>    #  set to no, the DH exponent size is optimized
>    #  dh_exponent_ansi_x9_42 = no
> }
> 
> ------------------------------------------------------------------------------
> ------------------------------------------------------------------------------
> [root at rs2 php]# vi /etc/strongswan/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> 
> # basic configuration
> config setup
>    # strictcrlpolicy=yes
>    # uniqueids = no
> 
> # Add connections here.
> conn juniper
>        ike=3des-sha1-modp1024
>        esp=3des-sha1-modp1024
>        authby=secret
>        keyingtries=0
>        left=91.xxx.165.136
>        leftsubnet=91.xxx.165.136/32
>        right=213.xxx.168.7
>        rightsubnet=192.168.158.70/32
>        compress=no
>        auto=start
> 
> ------------------------------------------------------------------------------
> [root at rs2 php]# vi /etc/strongswan/ipsec.secrets
> 213.xxx.168.7 91.xxx.165.136 : PSK "verysecret"
> 
> ------------------------------------------------------------------------------
> [root at rs2 php]# strongswan statusall
> Status of IKE charon daemon (strongSwan 5.0.4, Linux 3.8.13-xxxx-grs-ipv6-64, x86_64):
>  uptime: 25 minutes, since Nov 27 19:56:45 2013
>  malloc: sbrk 385656, mmap 0, used 275416, free 110240
>  worker threads: 6 of 16 idle, 9/1/0/0 working, job queue: 0/0/0/0, scheduled: 3
>  loaded plugins: charon curl aes des sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap dhcp
> Listening IP addresses:
>  91.xxx.165.136
>  2001:41d0:1:e688::1
> Connections:
>      juniper:  91.xxx.165.136...213.xxx.168.7  IKEv1/2
>      juniper:   local:  [91.xxx.165.136] uses pre-shared key authentication
>      juniper:   remote: [213.xxx.168.7] uses pre-shared key authentication
>      juniper:   child:  91.xxx.165.136/32 === 192.168.158.70/32 TUNNEL
> Security Associations (2 up, 0 connecting):
>      juniper[2]: ESTABLISHED 25 minutes ago, 91.xxx.165.136[91.xxx.165.136]...213.xxx.168.7[213.xxx.168.7]
>      juniper[2]: IKEv1 SPIs: 330e9930641ec931_i 7effcb9e460df315_r*, pre-shared key reauthentication in 2 hours
>      juniper[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>      juniper{1}:  INSTALLED, TUNNEL, ESP SPIs: c8658827_i e584c299_o
>      juniper{1}:  3DES_CBC/HMAC_SHA1_96, 8823 bytes_i (185 pkts, 44s ago), 3253 bytes_o (54 pkts, 104s ago), rekeying in 20 minutes
>      juniper{1}:   91.xxx.165.136/32 === 192.168.158.70/32
>      juniper[1]: CONNECTING, 91.xxx.165.136[%any]...213.xxx.168.7[%any]
>      juniper[1]: IKEv2 SPIs: 203c8d1cdfa944b1_i* 0000000000000000_r
>      juniper[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
> [root at rs2 php]#
> 
> ------------------------------------------------------------------------------
> [root at rs2 php]# ip route list table 220
> 192.168.158.70 via 91.xxx.165.254 dev eth0  proto static  src 91.xxx.165.136
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list