[strongSwan] Redundant network connections - messed up SAs

Steffen Heise foolix81-nerd at yahoo.de
Thu Nov 28 00:03:09 CET 2013 

Hello,

I have a problem with a somewhat complicated setup and I need some help.
In my example strongswan mixes up settings from different connection
definitions. Either because I messed it up (again) or because it
interprets the configuration wrongly.

I am sort of desperate so any help is greatly appreciated :-)


I have several hosts that I want to use IPSec (transport) for certain
protocols. For redundancy they can communicate over two separate
networks (net1, net2).

   --+------+-------+--------+-- net1
     |      |       |        |
   ALICE   BOB   CHARLIE   DAVE
     |      |       |        |
   --+------+-------+--------+-- net2

ALICE has IP 172.22.105.93 (net1)
BOB   has IP 172.22.105.35 (net1)

(I have not yet tested net2 ...)

ALICE provides a service on port 1337.
BOB   provides a service on port 13370.

I want ALICE to negotiate IPSec parameters with every host that wants to
connect to port 1337.

As I do not know, which network the partner choses to use, I have to use
%any for the left= parameter. (There are more than two networks in
reality so I try to avoid configuring every interface separately).
As I do not know which partner tries to connect, I have to use %any for
the right= parameter too. (same thing, more hosts in reality)

_The scenario works fine_
BOB connects to port 1337 on ALICE and the negotiation starts and ends
with a correct xfrm state.
If BOB connects to the same service again, the policy is already there.
No need to negotiate a second time.

Now I also want BOB to offer a service on port 13370 in the same way
alice does.

_The scenario stops working_
BOB connects to port 1337 on ALICE and the negotiation starts and ends
with an *incorrect* xfrm state.
If BOB connects to the same service again, strongswan renegotiates
again. Every connection attempt results in additional SAs being created.

The listings below describe that situation


*ALICE* ~# cat /etc/ipsec.conf
config setup
    charonstart=yes
    plutostart=no
conn %default
    auto=route
    dpdaction=hold
    dpddelay=10s
    esp=aes192-sha2_256-modp2048s256!
    ike=aes256-sha2_256-modp2048s256!
    ikelifetime=180m
    keyexchange=ikev2
    keyingtries=10
    keylife=60m
    leftcert=my_public_key.pem
    mobike=yes
    rekeymargin=10m
    type=transport
conn foo-in
    left=%any
    right=%any
    rightid="C=DE, ST=HE, L=FFM, O=TEST-CA, OU=TEST-OU, CN=*"
    leftprotoport=tcp/1337
conn bar-out
    left=%any
    right=172.22.105.35
    rightid="C=DE, ST=HE, L=FFM, O=TEST-CA, OU=TEST-OU, CN=*"
    rightprotoport=tcp/13370

*BOB* ~# cat /etc/ipsec.conf
config setup
    charonstart=yes
    plutostart=no
    charondebug="net 0, enc 0"
conn %default
    auto=route
    dpdaction=hold
    dpddelay=10s
    esp=aes192-sha2_256-modp2048s256!
    ike=aes256-sha2_256-modp2048s256!
    ikelifetime=180m
    keyexchange=ikev2
    keyingtries=10
    keylife=60m
    leftcert=my_public_key.pem
    mobike=yes
    rekeymargin=10m
    type=transport
conn foo-out
    left=%any
    right=172.22.105.93
    rightid="C=DE, ST=HE, L=FFM, O=TEST-CA, OU=TEST-OU, CN=*"
    rightprotoport=tcp/1337
conn bar-in
    left=%any
    right=%any
    rightid="C=DE, ST=HE, L=FFM, O=TEST-CA, OU=TEST-OU, CN=*"
    leftprotoport=tcp/13370

*ALICE* ~# ip xfrm policy
src 172.22.105.35/32 dst 172.22.105.93/32 proto tcp sport 13370
    dir in priority 2677 ptype main
    tmpl src 172.22.105.35 dst 172.22.105.93
        proto esp reqid 2 mode transport
src 172.22.105.93/32 dst 172.22.105.35/32 proto tcp dport 13370
    dir out priority 2678 ptype main
    tmpl src 172.22.105.93 dst 172.22.105.35
        proto esp reqid 2 mode transport
src 0.0.0.0/0 dst 172.22.105.93/32 proto tcp dport 1337
    dir in priority 2998 ptype main
    tmpl src 0.0.0.0 dst 172.22.105.93
        proto esp reqid 1 mode transport
src 172.22.105.93/32 dst 0.0.0.0/0 proto tcp sport 1337
    dir out priority 2677 ptype main
    tmpl src 172.22.105.93 dst 0.0.0.0
        proto esp reqid 1 mode transport

*BOB* ~# # First connection to ALICE
*BOB* ~# netcat ALICE 1337

*ALICE* ~# ip xfrm state
src 172.22.105.93 dst 172.22.105.35
    proto esp spi 0xc088740f reqid 4 mode transport
    replay-window 32
    auth hmac(sha256)
0xcb14bb13b03800d52730f62da8bc6d8d2108a423926650cfe4ceff5162194ee8
    enc cbc(aes) 0xbca419329ecdeb07629d9f14e5b7b57120d5924974fd77cb
    sel src 172.22.105.93/32 dst 172.22.105.35/32 proto tcp sport 1337
dport 13370
src 172.22.105.35 dst 172.22.105.93
    proto esp spi 0xc44ef7dc reqid 4 mode transport
    replay-window 32
    auth hmac(sha256)
0x7d29272491342121e79397ee3337c4a4ba75ac2dc9d61cea6d1678707254301a
    enc cbc(aes) 0xe86462a6630ff165893114e8c439ad088ce92a7964b0158f
    sel src 172.22.105.35/32 dst 172.22.105.93/32 proto tcp sport 13370
dport 1337
src 172.22.105.93 dst 172.22.105.35
    proto esp spi 0xccff8ca2 reqid 3 mode transport
    replay-window 32
    auth hmac(sha256)
0xf48b4e0925dbba97a0ebac6bd1b184ab2c5208ab260166cb62183a5626d648be
    enc cbc(aes) 0xcc03f25ef01e688dd4574bb3ea1e7799ee775ccecac109a7
    sel src 172.22.105.93/32 dst 172.22.105.35/32 proto tcp sport 1337
dport 13370
src 172.22.105.35 dst 172.22.105.93
    proto esp spi 0xc52f6147 reqid 3 mode transport
    replay-window 32
    auth hmac(sha256)
0xd9df12fc560a2397569f7f71c58847b69bd3c7c6cf0b733511acad0bbec127dc
    enc cbc(aes) 0x5165ea3fe6810992bad5878eabe1b27e1adf9f3e0a6efbf3
    sel src 172.22.105.35/32 dst 172.22.105.93/32 proto tcp sport 13370
dport 1337

*BOB* ~# # Second connection to ALICE
*BOB* ~# netcat ALICE 1337

*ALICE* ~# ip xfrm state
src 172.22.105.93 dst 172.22.105.35
    proto esp spi 0xc2fafd0c reqid 7 mode transport
    replay-window 32
    auth hmac(sha256)
0x227778cd01e699a4a4d74eb5561753895de148beb11b9fb9140598b58ae073a0
    enc cbc(aes) 0x081b1b6fa89144c61b4590dabb45a819e2eafabc2408ed37
    sel src 172.22.105.93/32 dst 172.22.105.35/32 proto tcp sport 1337
dport 13370
src 172.22.105.35 dst 172.22.105.93
    proto esp spi 0xc81db4e9 reqid 7 mode transport
    replay-window 32
    auth hmac(sha256)
0x5c3e1627094b2982e19be25a591cdf586cc30e18424b99bda078e34f26e448f7
    enc cbc(aes) 0xa34883bfcb1ebcae3fc3acf24e952cbc61324ef5ccfa3d10
    sel src 172.22.105.35/32 dst 172.22.105.93/32 proto tcp sport 13370
dport 1337
src 172.22.105.93 dst 172.22.105.35
    proto esp spi 0xc673e089 reqid 6 mode transport
    replay-window 32
    auth hmac(sha256)
0x075b9c5dfd243c410c5c8c0c22d5d32cf9c0a09699333038dd07fced7d825247
    enc cbc(aes) 0xbf8185f7c92d49eabd95160b7de5a250636803c73f901cc5
    sel src 172.22.105.93/32 dst 172.22.105.35/32 proto tcp sport 1337
dport 13370
src 172.22.105.35 dst 172.22.105.93
    proto esp spi 0xc23e5137 reqid 6 mode transport
    replay-window 32
    auth hmac(sha256)
0x004c2223aab3d78e2d09b32117102bb788f91da6c84e46eeb695b7c32f64e43c
    enc cbc(aes) 0xe81ad3a811e5e6252ab35197d507622a956bc60495a1a907
    sel src 172.22.105.35/32 dst 172.22.105.93/32 proto tcp sport 13370
dport 1337
src 172.22.105.93 dst 172.22.105.35
    proto esp spi 0xce331620 reqid 5 mode transport
    replay-window 32
    auth hmac(sha256)
0xc3de204d38da753eb23ae8a72886b914e3a571466476c753de0c514cf507fe8e
    enc cbc(aes) 0x3c49a5e82200fa1b9e75a17bda924f3d89c6302a3fa6825c
    sel src 172.22.105.93/32 dst 172.22.105.35/32 proto tcp sport 1337
dport 13370
src 172.22.105.35 dst 172.22.105.93
    proto esp spi 0xc48b130c reqid 5 mode transport
    replay-window 32
    auth hmac(sha256)
0x1d5ea9827c62789398b2c30e992ec941a5fb32ddbda7f633f819d5b0ecbe75b7
    enc cbc(aes) 0x33c3642ab38aebfc5f48e29432332699e14d014ab8e12010
    sel src 172.22.105.35/32 dst 172.22.105.93/32 proto tcp sport 13370
dport 1337
src 172.22.105.93 dst 172.22.105.35
    proto esp spi 0xc088740f reqid 4 mode transport
    replay-window 32
    auth hmac(sha256)
0xcb14bb13b03800d52730f62da8bc6d8d2108a423926650cfe4ceff5162194ee8
    enc cbc(aes) 0xbca419329ecdeb07629d9f14e5b7b57120d5924974fd77cb
    sel src 172.22.105.93/32 dst 172.22.105.35/32 proto tcp sport 1337
dport 13370
src 172.22.105.35 dst 172.22.105.93
    proto esp spi 0xc44ef7dc reqid 4 mode transport
    replay-window 32
    auth hmac(sha256)
0x7d29272491342121e79397ee3337c4a4ba75ac2dc9d61cea6d1678707254301a
    enc cbc(aes) 0xe86462a6630ff165893114e8c439ad088ce92a7964b0158f
    sel src 172.22.105.35/32 dst 172.22.105.93/32 proto tcp sport 13370
dport 1337
src 172.22.105.93 dst 172.22.105.35
    proto esp spi 0xccff8ca2 reqid 3 mode transport
    replay-window 32
    auth hmac(sha256)
0xf48b4e0925dbba97a0ebac6bd1b184ab2c5208ab260166cb62183a5626d648be
    enc cbc(aes) 0xcc03f25ef01e688dd4574bb3ea1e7799ee775ccecac109a7
    sel src 172.22.105.93/32 dst 172.22.105.35/32 proto tcp sport 1337
dport 13370
src 172.22.105.35 dst 172.22.105.93
    proto esp spi 0xc52f6147 reqid 3 mode transport
    replay-window 32
    auth hmac(sha256)
0xd9df12fc560a2397569f7f71c58847b69bd3c7c6cf0b733511acad0bbec127dc
    enc cbc(aes) 0x5165ea3fe6810992bad5878eabe1b27e1adf9f3e0a6efbf3
    sel src 172.22.105.35/32 dst 172.22.105.93/32 proto tcp sport 13370
dport 1337

More information about the Users mailing list