[strongSwan] IPSEC SA Dropping for no apparent reason

Noel Kuntze noel at familie-kuntze.de
Wed Feb 18 20:53:11 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Bradley,

Well, the IKE SA and IPsec SAs are gone. You should make strongSwan write a log file
to see what happens. See [1] for information.
It is advised to set the following:
                        default = 3
                        mgr = 0
                        ike = 2
                        net = 2
                        enc = 0
                        asn = 1
                        job = 1                
                        knl = 0

Otherwise ENC will drown you in output, as will ASN.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 18.02.2015 um 20:35 schrieb Turnbough, Bradley E.:
> Noel,
>
> Thanks for your reply.
>
>
> The IPSec SA's come up once I issue the ipsec up command.  I verified this by pinging across the tunnel.
>
> When the tunnel was working properly:
> hostname.belcan.com:root:/etc/strongswan>ipsec statusall | grep -i business
> business-sa-01:  a.b.c.d...e.f.g.h  IKEv1
> business-sa-01:   local:  [a.b.c.d] uses pre-shared key authentication
> business-sa-01:   remote: [e.f.g.h] uses pre-shared key authentication
> business-sa-01:   child:  i.j.k.l/24 === m.n.o.p/28 TUNNEL
> business-sa-01[80]: ESTABLISHED 2 hours ago, a.b.c.d[a.b.c.d]...e.f.g.h[e.f.g.h]
> business-sa-01[80]: IKEv1 SPIs: 812888efb7c5e41b_i* 5f3e4b0553720d88_r, pre-shared key reauthentication in 37 minutes
> business-sa-01[80]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> business-sa-01{42}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cde9c291_i 8118f20d_o
> business-sa-01{42}:  AES_CBC_128/HMAC_SHA1_96, 27384 bytes_i (326 pkts, 18s ago), 27636 bytes_o (329 pkts, 18s ago), rekeying in 6 minutes
> business-sa-01{42}:   i.j.k.l/24 === m.n.o.p/28
>
>
> Right after the tunnel broke:
> hostname.belcan.com:root:/etc/strongswan>ipsec statusall | grep -i business
> business-sa-01:  a.b.c.d...e.f.g.h  IKEv1
> business-sa-01:   local:  [a.b.c.d] uses pre-shared key authentication
> business-sa-01:   remote: [e.f.g.h] uses pre-shared key authentication
> business-sa-01:   child:  i.j.k.l/24 === m.n.o.p/28 TUNNEL
>
>
>
> Does this information help you?
>
> Thanks!
>
> Brad
> ________________________________________
> From: users-bounces at lists.strongswan.org [users-bounces at lists.strongswan.org] on behalf of Noel Kuntze [noel at familie-kuntze.de]
> Sent: Wednesday, February 18, 2015 11:11 AM
> To: users at lists.strongswan.org
> Subject: Re: [strongSwan] IPSEC SA Dropping for no apparent reason
>
> Hello Bradley,
>
> Well, I see the IKE SA come up, but not IPsec SAs.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 18.02.2015 um 18:02 schrieb Turnbough, Bradley E.:
> > We started having issues with a IPSEC B2B tunnel dropping.  When I issue the 'up' command, it brings the tunnel up, and provides me with the following info (sanitized for security).
>
> > hostname.belcan.com:root:/root>ipsec up business-sa-01
> > initiating Main Mode IKE_SA business-sa-01[80] to e.f.g.h
> > generating ID_PROT request 0 [ SA V V V V ]
> > sending packet: from a.b.c.d[500] to e.f.g.h[500] (184 bytes)
> > received packet: from e.f.g.h[500] to a.b.c.d[500] (124 bytes)
> > parsed ID_PROT response 0 [ SA V V ]
> > received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> > received FRAGMENTATION vendor ID
> > generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> > sending packet: from a.b.c.d[500] to e.f.g.h[500] (244 bytes)
> > received packet: from e.f.g.h[500] to a.b.c.d[500] (304 bytes)
> > parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
> > received Cisco Unity vendor ID
> > received XAuth vendor ID
> > received unknown vendor ID: 7d:ca:d5:4e:05:4a:3e:5f:17:19:85:e5:b3:6c:bc:0e
> > received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
> > local host is behind NAT, sending keep alives
> > generating ID_PROT request 0 [ ID HASH ]
> > sending packet: from a.b.c.d[4500] to e.f.g.h[4500] (68 bytes)
> > received packet: from e.f.g.h[4500] to a.b.c.d[4500] (84 bytes)
> > parsed ID_PROT response 0 [ ID HASH V ]
> > received DPD vendor ID
> > IKE_SA business-sa-01[80] established between a.b.c.d[a.b.c.d]...e.f.g.h[e.f.g.h]
> > scheduling reauthentication in 10193s
> > maximum IKE_SA lifetime 10733s
> > generating QUICK_MODE request 2145900863 [ HASH SA No ID ID ]
> > sending packet: from a.b.c.d[4500] to e.f.g.h[4500] (204 bytes)
> > received packet: from e.f.g.h[4500] to a.b.c.d[4500] (164 bytes)
> > parsed QUICK_MODE response 2145900863 [ HASH SA No ID ID ]
> > connection 'business-sa-01' established successfully
>
>
> > Can someone please tell me if there is anything in there that is a problem or looks suspicious?
>
> > Thanks,
>
> > Brad Turnbough
> > _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU5O2lAAoJEDg5KY9j7GZY28oP/ivlJUGWyH/tX3ISnERDWzaQ
OVxrFqLTgkiqnh9rVjz+tVX5gGMxr8Pgt/sDCg/P2UOm9akz29p0Pu3XH7Rmg4y8
sb5t4RWVI+YsgD1u/gowU3+mzY35xysTman3kAWAtCvzWu40B5JHehOczsB1RVSj
PUAGmAPjWBYUpOKv8qTGVwXXgWqJhe0SbH3RVbTQWu48HsD6WyKltKaAm9g0BaJj
JrXVmG866go7Jq/bxUfO0lZEiJdOTVBNsawzu5gR9GT9VNxY/bm0vURm8R0+V0Sq
qmegtmEUFJ4ZQ68MZVVD+ljkR/owtxqUrPTwtIA1czUxCqIZ6DORrT9XcGz3wZrW
dJfHvT7zf17kVKi3ZoZ6RKKoMCvFFy9om4bvIs4RAEnsRwcVJcn8NB3ChtmNCPWh
KD5MN4sxZEWISqLY4GSYOKfrx71VGYxGIKR9WF1O3xl86vpZM/nXEXllZjiXpE5j
jhqVrdTVUSSTSpyt3nOiYbDMnqKR7SnwCwg+X7l+QoDlsvbSqx9PnbowpLOAm6tc
SX2Lty1CcqriDu23bU6fD0hxg05kzUFZC9+0dGfue2VBiZkHPo72RSXM6waroVb7
ArjI8VP4yvktXeHpLzZ4faUof4xGD4sXZp+rfnX8OPSDRjJfNTxNC5yxT94GjbTA
Oqj1gVEQR4wUNPCnNu5u
=unmG
-----END PGP SIGNATURE-----

More information about the Users mailing list