[strongSwan] other side not reachable until first rekeying

Klaus Kinkelmann klaus.kinkelmann at googlemail.com
Mon Mar 10 12:57:02 CET 2014


Dear strongswan users,

I have installed a self compiled strongswan 5.1.1 on my Ubuntu 12.04 server. On the other side there is a Fritzbox 7360 
with newest firmware. After some try an error I found a configuration where the Fitzbox can establish a lan-lan connection.

There is just one problem left. Directly after starting/restarting strongswan I can't reach the other side by ping or by 
a http request no matter from which side I try but the connection is established. In my syslog I see messages like this 
as a response to every ping request from the Fritzbox side:
Feb  2 18:54:18 h2257975 charon: 05[NET] received packet: from 85.178.xxx.xx[4500] to 85.178.xxx.xx[4500] (92 bytes)
Feb  2 18:54:18 h2257975 charon: 05[ENC] parsed INFORMATIONAL_V1 request 1027839158 [ HASH N(DPD) ]
Feb  2 18:54:18 h2257975 charon: 05[ENC] generating INFORMATIONAL_V1 request 3931842864 [ HASH N(DPD_ACK) ]
Feb  2 18:54:18 h2257975 charon: 05[NET] sending packet: from 85.178.xxx.xx[4500] to 85.178.xxx.xx[4500] (92 bytes)
Feb  2 18:55:21 h2257975 charon: 07[NET] received packet: from 85.178.xxx.xx[4500] to 85.178.xxx.xx[4500] (92 bytes)
Feb  2 18:55:21 h2257975 charon: 07[ENC] parsed INFORMATIONAL_V1 request 1680524696 [ HASH N(DPD) ]
Feb  2 18:55:21 h2257975 charon: 07[ENC] generating INFORMATIONAL_V1 request 2431241367 [ HASH N(DPD_ACK) ]
Feb  2 18:55:21 h2257975 charon: 07[NET] sending packet: from 85.178.xxx.xx[4500] to 85.178.xxx.xx[4500] (92 bytes)

Then after some time the ping starts to work and than no messages appear in syslog. It took me some time to figure out 
what's the trigger that makes it start working and now I found out. It is the rekeying. After the first rekeying 
everything is fine. I have reproduced that several times with different rekey intervals.

ipsec status-all output:
Status of IKE charon daemon (strongSwan 5.1.1, Linux 3.2.0-58-virtual, x86_64):
   uptime: 13 hours, since Feb 02 19:19:36 2014
   malloc: sbrk 270336, mmap 0, used 194016, free 76320
   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 
pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown 
xauth-generic
Listening IP addresses:
   81.169.xxx.xx
   192.168.2.1
Connections:
fritzbox:  81.169.xxx.xx...yyyyyyyy.myfritz.net  IKEv1/2
fritzbox:   local:  [81.169.xxx.xx] uses pre-shared key authentication
fritzbox:   remote: [yyyyyyyy.myfritz.net] uses pre-shared key authentication
fritzbox:   child:  192.168.2.0/24 === 192.168.1.0/24 TUNNEL Security Associations (1 up, 0 connecting):
fritzbox[55]: ESTABLISHED 17 minutes ago, 81.169.xxx.xx[81.169.xxx.xx]...85.178.xxx.xx[yyyyyyyy.myfritz.net]
fritzbox[55]: IKEv1 SPIs: 70a65e9ece5a250a_i* cc1793981d9d5756_r, pre-shared key reauthentication in 29 minutes
fritzbox[55]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
fritzbox{4}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c7bc8bcb_i 92ba0970_o
fritzbox{4}:  AES_CBC_256/HMAC_SHA1_96, 1920 bytes_i (32 pkts, 1s ago), 1920 bytes_o (32 pkts, 1s ago), rekeying in 14 
minutes
fritzbox{4}:   192.168.2.0/24 === 192.168.1.0/24

The question is what can do to make it work right from the start and not until the first rekeying happens.

Thank you for your held!
Klaus



More information about the Users mailing list