[strongSwan] IKE exchange - strange packets

Alexey GERASIMOV avgera at mail.ru
Sun Jul 12 13:42:06 CEST 2015 

Hello all! 

We use strongSwan version 4.5.2 for two IPSEC tunnels between Linux and two hardware routers (Router 1 and Router 2 hereinafter). Both tunnels    works perfectly. 
We try to reinstall the configuration on the other server using    strongSwan 5.2.1. The first tunnel is established successfully, but the other tinnel (with the same parameters but another hardware router model)    have the trouble during phase2 negotiation. Phase1 is Ok. 
I used tcpdump to analyze the packets exchange during tunnel creation and found the next:
 
SS 4.5.2 <-> Router 2

12:47:29.800834 IP StrongSwan452.isakmp > Router2.isakmp: isakmp: phase 1 I ident
12:47:29.824558 IP Router2.isakmp > StrongSwan452.isakmp: isakmp: phase 1 R ident
12:47:29.824902 IP StrongSwan452.isakmp > Router2.isakmp: isakmp: phase 1 I ident
12:47:29.858313 IP Router2.isakmp > StrongSwan452.isakmp: isakmp: phase 1 R ident
12:47:29.858618 IP StrongSwan452.isakmp > Router2.isakmp: isakmp: phase 1 I ident[E]
12:47:29.894223 IP Router2.isakmp > StrongSwan452.isakmp: isakmp: phase 1 R ident[E]
12:47:29.894573 IP StrongSwan452.isakmp > Router2.isakmp: isakmp: phase 2/others I oakley-quick[E]
12:47:29.961807 IP Router2.isakmp > StrongSwan452.isakmp: isakmp: phase 2/others R oakley-quick[E]
12:47:29.988256 IP StrongSwan452.isakmp > Router2.isakmp: isakmp: phase 2/others I oakley-quick[E]
 
Well, it is the standard IKE exchange – 6 packets for    phase 1 and 3 packets for phase2, no questions. I read RFC 2409 and found that it is expected behavior.
 
But SS 5.2.1 have the another one suddenly:
 
SS 5.2.1 <-> Router 1
 
12:42:48.280898 IP StrongSwan521.isakmp > Router1.isakmp: isakmp: phase 1 I ident
12:42:48.339787 IP Router1.isakmp > StrongSwan521.isakmp: isakmp: phase 1 R ident
12:42:48.341346 IP StrongSwan521.isakmp > Router1.isakmp: isakmp: phase 1 I ident
12:42:48.401882 IP Router1.isakmp > StrongSwan521.isakmp: isakmp: phase 1 R ident
12:42:48.403264 IP StrongSwan521.isakmp > Router1.isakmp: isakmp: phase 1 I ident[E]
12:42:48.462499 IP Router1.isakmp > StrongSwan521.isakmp: isakmp: phase 1 R ident[E]
12:42:48.463006 IP StrongSwan521.isakmp > Router1.isakmp: isakmp: phase 2/others I #6[E]
12:42:48.523154 IP Router1.isakmp > StrongSwan521.isakmp: isakmp: phase 2/others R #6[E]
12:42:48.524140 IP StrongSwan521.isakmp > Router1.isakmp: isakmp: phase 2/others I oakley-quick[E]
12:42:48.585046 IP Router1.isakmp > StrongSwan521.isakmp: isakmp: phase 2/others R oakley-quick[E]
12:42:48.586575 IP StrongSwan521.isakmp > Router1.isakmp: isakmp: phase 2/others I oakley-quick[E]
 
I found two strange additional packets before the standard quick mode packets for phase 2,  initiation packet from SS and the answer packet  from Router 1. I couldn’t recognize them. But tunnel is Ok because Router 1 is able to answer to this package. Well, but…
 
SS 5.2.1 <-> Router 2
 
13:23:56.200783 IP StrongSwan521.isakmp > Router2.isakmp: isakmp: phase 1 I ident
13:23:56.225261 IP Router2.isakmp > StrongSwan521.isakmp: isakmp: phase 1 R ident
13:23:56.226277 IP StrongSwan521.isakmp > Router2.isakmp: isakmp: phase 1 I ident
13:23:56.259911 IP Router2.isakmp > StrongSwan521.isakmp: isakmp: phase 1 R ident
13:23:56.260966 IP StrongSwan521.isakmp > Router2.isakmp: isakmp: phase 1 I ident[E]
13:23:56.296592 IP Router2.isakmp > StrongSwan521.isakmp: isakmp: phase 1 R ident[E]
13:23:56.296970 IP StrongSwan521.isakmp > Router2.isakmp: isakmp: phase 2/others I #6[E]
13:24:00.297122 IP StrongSwan521.isakmp > Router2.isakmp: isakmp: phase 2/others I #6[E]
 
etc…
 
It looks that Router 2 couldn’t recognize this package too, not me only… It simply doesn’t answer to it. Well, I suppose it is the reason why phase 2 couldn’t be established.
 
So, what the sense of these packages? How can I prevent them using ipsec.conf?
 
Current version of ipsec.conf 
 
conn dtn-ovh
         # rekeymargin=3m
         # keyingtries=1
         keyexchange=ikev1
         type=tunnel
         authby=secret
         left=x.x.x.x
           leftsourceip=q.q.q.q
         leftsubnet=a.a.a.a/a
         right=y.y.y.y
          rightsubnet=c.c.c.c/c
         ike=aes192-sha-modp1024
         esp=aes192-sha-modp1024
         dpdaction=restart
         dpddelay=15s
         ikelifetime=28800s
         #pfs=yes
         auto=start
 
conn paris-ovh2
         # rekeymargin=3m
         # keyingtries=1
         keyexchange=ikev1
         type=tunnel
         authby=secret
          left=x.x.x.x
          leftsourceip=q.q.q.q
           leftsubnet=b.b.b.b/b
          right=z.z.z.z
           rightsubnet=b.b.b.b/b
         #rightauth=psk
         ike=aes192-sha-modp1024
         esp=aes192-sha1-modp1024
         #esp=aes128-sha1-modp2048
         dpdaction=restart
         dpddelay=15s
         ikelifetime=28800s
         #pfs=yes
         auto=start
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150712/7d55c2f2/attachment-0001.html>

More information about the Users mailing list