[strongSwan] IPSEC SA Dropping for no apparent reason

Turnbough, Bradley E. bturnbough at belcan.com
Wed Feb 18 20:35:09 CET 2015


Noel,

Thanks for your reply.


The IPSec SA's come up once I issue the ipsec up command.  I verified this by pinging across the tunnel.

When the tunnel was working properly:
hostname.belcan.com:root:/etc/strongswan>ipsec statusall | grep -i business
business-sa-01:  a.b.c.d...e.f.g.h  IKEv1
business-sa-01:   local:  [a.b.c.d] uses pre-shared key authentication
business-sa-01:   remote: [e.f.g.h] uses pre-shared key authentication
business-sa-01:   child:  i.j.k.l/24 === m.n.o.p/28 TUNNEL
business-sa-01[80]: ESTABLISHED 2 hours ago, a.b.c.d[a.b.c.d]...e.f.g.h[e.f.g.h]
business-sa-01[80]: IKEv1 SPIs: 812888efb7c5e41b_i* 5f3e4b0553720d88_r, pre-shared key reauthentication in 37 minutes
business-sa-01[80]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
business-sa-01{42}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cde9c291_i 8118f20d_o
business-sa-01{42}:  AES_CBC_128/HMAC_SHA1_96, 27384 bytes_i (326 pkts, 18s ago), 27636 bytes_o (329 pkts, 18s ago), rekeying in 6 minutes
business-sa-01{42}:   i.j.k.l/24 === m.n.o.p/28


Right after the tunnel broke:
hostname.belcan.com:root:/etc/strongswan>ipsec statusall | grep -i business
business-sa-01:  a.b.c.d...e.f.g.h  IKEv1
business-sa-01:   local:  [a.b.c.d] uses pre-shared key authentication
business-sa-01:   remote: [e.f.g.h] uses pre-shared key authentication
business-sa-01:   child:  i.j.k.l/24 === m.n.o.p/28 TUNNEL



Does this information help you?

Thanks!

Brad
________________________________________
From: users-bounces at lists.strongswan.org [users-bounces at lists.strongswan.org] on behalf of Noel Kuntze [noel at familie-kuntze.de]
Sent: Wednesday, February 18, 2015 11:11 AM
To: users at lists.strongswan.org
Subject: Re: [strongSwan] IPSEC SA Dropping for no apparent reason

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Bradley,

Well, I see the IKE SA come up, but not IPsec SAs.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 18.02.2015 um 18:02 schrieb Turnbough, Bradley E.:
> We started having issues with a IPSEC B2B tunnel dropping.  When I issue the 'up' command, it brings the tunnel up, and provides me with the following info (sanitized for security).
>
> hostname.belcan.com:root:/root>ipsec up business-sa-01
> initiating Main Mode IKE_SA business-sa-01[80] to e.f.g.h
> generating ID_PROT request 0 [ SA V V V V ]
> sending packet: from a.b.c.d[500] to e.f.g.h[500] (184 bytes)
> received packet: from e.f.g.h[500] to a.b.c.d[500] (124 bytes)
> parsed ID_PROT response 0 [ SA V V ]
> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> received FRAGMENTATION vendor ID
> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> sending packet: from a.b.c.d[500] to e.f.g.h[500] (244 bytes)
> received packet: from e.f.g.h[500] to a.b.c.d[500] (304 bytes)
> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
> received Cisco Unity vendor ID
> received XAuth vendor ID
> received unknown vendor ID: 7d:ca:d5:4e:05:4a:3e:5f:17:19:85:e5:b3:6c:bc:0e
> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
> local host is behind NAT, sending keep alives
> generating ID_PROT request 0 [ ID HASH ]
> sending packet: from a.b.c.d[4500] to e.f.g.h[4500] (68 bytes)
> received packet: from e.f.g.h[4500] to a.b.c.d[4500] (84 bytes)
> parsed ID_PROT response 0 [ ID HASH V ]
> received DPD vendor ID
> IKE_SA business-sa-01[80] established between a.b.c.d[a.b.c.d]...e.f.g.h[e.f.g.h]
> scheduling reauthentication in 10193s
> maximum IKE_SA lifetime 10733s
> generating QUICK_MODE request 2145900863 [ HASH SA No ID ID ]
> sending packet: from a.b.c.d[4500] to e.f.g.h[4500] (204 bytes)
> received packet: from e.f.g.h[4500] to a.b.c.d[4500] (164 bytes)
> parsed QUICK_MODE response 2145900863 [ HASH SA No ID ID ]
> connection 'business-sa-01' established successfully
>
>
> Can someone please tell me if there is anything in there that is a problem or looks suspicious?
>
> Thanks,
>
> Brad Turnbough
> _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU5MfdAAoJEDg5KY9j7GZYy9sP/RX2uB0wWOIfo2Ijmyn30m5w
4rBGiUAzLIqE17+z+Vsbp4Ulp+s0Q4i6eqdkgpEpEjsnWcBHN4PTdaZkyZfTC77B
F34kFlgiG51csUDwxP8426lWCEigrfKZtzX3j56X7GUwiMQqCZPX0cJCvs/yYNRv
VD3jjJBIpY0nSY2E4QZAEhhQPjEKKq4v4FApBstWXt+G8xVNEzVSmR4A2owaPKsB
sXy138D4mI4bud+2vmH2Z2ZmPPOz3UYZZDufhJ0Fz60klRjVJBqhahOB5nPRmqTP
2jBA8UugrE1TMLBeE+nTO6kmjbsx+MAiridkQetp82dVMsKDXpsIeFWZ80GjLGW0
Hx46B7BLfFMxsa1/fbiBSxl+1pI0fUiTcRKH66x244G16AuwWwECuybASzBbzy5f
absA6DCGmlvOQKkeyLA2fsZRzA1pX9z60zo/eIjKiwzWZPebJjLwWThIMZkw6hO2
KDU5gDcfJH3L0LwgTXmsFIo5n+/3wjKBx6HtyM7nKkQadPTtjPCUEJJiSKNXqjHR
VqWDrLwctwLT6/3EJb+gUj0OloJqz2c3w+9Sjql2tibMZ9M7qhs/RwOKXM4J/oBb
1WRVirfO9pPXk4s40DRhCd/Hn1kkhVlpOlCSzot4o7Hu4lloH52X+mrofe91a6tP
X6YHS0FoVRZ/4SMhv3AV
=U41H
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
_____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.


More information about the Users mailing list