[strongSwan] Output hangs, eventually completes
John Emerson
jemerson at irise.com
Wed Oct 8 23:15:48 CEST 2014
Hello.
I have what appears to be a working StrongSwan VPN between a client VM Fusion Ubuntu instance (running on OSX 10.9.5) and a server AWS EC2 Ubuntu instance
that is within a VPC. From the client, I ssh to the server to do work. I use this VPN without issue for many minutes. Then I perform some command like ‘ps -ef’ or ‘vi foo’ and the VPN output hangs.
While ‘hung’, from another shell session I still see heartbeats on the VPN. If I wait around long enough (30 minutes or less), output from the command eventually is fully written after which I see a shell prompt.
Details -
The client (VM Ware Fusion Ubuntu instance) connects over two VPNs to two different EC2 instances in the AWS VPC.
While hung in one shell, using a different shell, I can connect to the same machine over the same VPN and work normally.
I would greatly appreciate any help in this regard. Configs and ‘ipsec statusall’ output below.
BTW: I made a query regarding pricing for professional services in this regard, but got no response.
Thank you,
John Emerson
Here are the configs:
Client:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn %default
keyexchange=ikev2
left=%any
leftsourceip=%config
leftid=user at company.com
leftfirewall=yes
leftcert=UserCert.pem
auto=start
conn vpn1
right=XX.XXX.XXX.XXX
rightsubnet=10.0.0.0/28
rightid=bhost-us-west-1b
rightcert=vpnHostCert-1b.pem
conn vpn2
right=YY.YYY.YYY.YY
rightsubnet=10.0.0.16/28
rightid=bhost-us-west-1c
rightcert=vpnHostCert-1c.pem
Server:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# charondebug="ike 2,cfg 2, dmn 2, ike 2, net 2"
# Add connections here.
# Sample VPN connections
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw
left=10.0.0.6
leftid=bhost-us-west-1b
leftcert=vpnHostCert.pem
leftsubnet=10.0.0.0/16
leftfirewall=yes
right=%any
rightsourceip=10.100.255.0/28
auto=add
Here’s output from ‘ipsec statusall’:
Client:
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-35-generic, i686):
uptime: 2 hours, since Oct 08 18:20:44 2014
malloc: sbrk 536576, mmap 0, used 217608, free 318968
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 20
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock
Listening IP addresses:
172.16.202.127
Connections:
vpn1: %any...XX.XXX.XXX.XXX IKEv2
vpn1: local: [user at company.com] uses public key authentication
vpn1: cert: "C=USA, O=Comp, CN=user at company.com"
vpn1: remote: [bhost-us-west-1b] uses public key authentication
vpn1: cert: "C=USA, O=Comp, CN=bhost-us-west-1b"
vpn1: child: dynamic === 10.0.0.0/28 TUNNEL
vpn2: %any...YY.YYY.YYY.YY IKEv2
vpn2: local: [user at company.com] uses public key authentication
vpn2: cert: "C=USA, O=Comp, CN=user at company.com"
vpn2: remote: [bhost-us-west-1c] uses public key authentication
vpn2: cert: "C=USA, O=Comp, CN=bhost-us-west-1c"
vpn2: child: dynamic === 10.0.0.16/28 TUNNEL
Security Associations (2 up, 0 connecting):
vpn2[8]: ESTABLISHED 16 minutes ago, 172.16.202.127[user at company.com]...YY.YYY.YYY.YY[bhost-us-west-1c]
vpn2[8]: IKEv2 SPIs: 90c6e80b0f6fedae_i* 507a473dceef9f7a_r, public key reauthentication in 31 minutes
vpn2[8]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
vpn2{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: c262c9b1_i c8349d47_o
vpn2{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 43 minutes
vpn2{2}: 10.200.255.2/32 === 10.0.0.16/28
vpn1[7]: ESTABLISHED 16 minutes ago, 172.16.202.127[user at company.com]...XX.XXX.XXX.XXX[bhost-us-west-1b]
vpn1[7]: IKEv2 SPIs: 23c056b711428b42_i* e94c5ed23faad055_r, public key reauthentication in 30 minutes
vpn1[7]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
vpn1{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c59feb1d_i c84ee785_o
vpn1{1}: AES_CBC_128/HMAC_SHA1_96, 788 bytes_i (8 pkts, 11s ago), 1064 bytes_o (15 pkts, 11s ago), rekeying in 45 minutes
vpn1{1}: 10.100.255.1/32 === 10.0.0.0/28
Server:
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-29-generic, x86_64):
uptime: 2 hours, since Oct 08 18:20:59 2014
malloc: sbrk 1486848, mmap 0, used 368320, free 1118528
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock
Virtual IP pools (size/online/offline):
10.100.255.0/28: 14/1/0
Listening IP addresses:
10.0.0.6
Connections:
rw: 10.0.0.6...%any IKEv2
rw: local: [bhost-us-west-1b] uses public key authentication
rw: cert: "C=USA, O=Comp, CN=bhost-us-west-1b"
rw: remote: uses public key authentication
rw: child: 10.0.0.0/16 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
rw[4]: ESTABLISHED 15 minutes ago, 10.0.0.6[bhost-us-west-1b]…ZZ.ZZZ.ZZZ.Z[user at company.com]
rw[4]: IKEv2 SPIs: 23c056b711428b42_i e94c5ed23faad055_r*, public key reauthentication in 40 minutes
rw[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
rw{4}: INSTALLED, TUNNEL, ESP in UDP SPIs: cd9ac65c_i cb84ca73_o
rw{4}: AES_CBC_128/HMAC_SHA1_96, 14785 bytes_i (164 pkts, 0s ago), 14045 bytes_o (102 pkts, 301s ago), rekeying in 43 seconds
rw{4}: 10.0.0.0/28 === 10.100.255.1/32
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1821 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141008/cc1d57db/attachment.bin>
More information about the Users
mailing list