[strongSwan] IKE exchange - strange packets
Alexey GERASIMOV
avgera at mail.ru
Sun Jul 12 13:42:06 CEST 2015
Hello all!
We use strongSwan version 4.5.2 for two IPSEC tunnels between Linux and two hardware routers (Router 1 and Router 2 hereinafter). Both tunnels works perfectly.
We try to reinstall the configuration on the other server using strongSwan 5.2.1. The first tunnel is established successfully, but the other tinnel (with the same parameters but another hardware router model) have the trouble during phase2 negotiation. Phase1 is Ok.
I used tcpdump to analyze the packets exchange during tunnel creation and found the next:
SS 4.5.2 <-> Router 2
12:47:29.800834 IP StrongSwan452.isakmp > Router2.isakmp: isakmp: phase 1 I ident
12:47:29.824558 IP Router2.isakmp > StrongSwan452.isakmp: isakmp: phase 1 R ident
12:47:29.824902 IP StrongSwan452.isakmp > Router2.isakmp: isakmp: phase 1 I ident
12:47:29.858313 IP Router2.isakmp > StrongSwan452.isakmp: isakmp: phase 1 R ident
12:47:29.858618 IP StrongSwan452.isakmp > Router2.isakmp: isakmp: phase 1 I ident[E]
12:47:29.894223 IP Router2.isakmp > StrongSwan452.isakmp: isakmp: phase 1 R ident[E]
12:47:29.894573 IP StrongSwan452.isakmp > Router2.isakmp: isakmp: phase 2/others I oakley-quick[E]
12:47:29.961807 IP Router2.isakmp > StrongSwan452.isakmp: isakmp: phase 2/others R oakley-quick[E]
12:47:29.988256 IP StrongSwan452.isakmp > Router2.isakmp: isakmp: phase 2/others I oakley-quick[E]
Well, it is the standard IKE exchange – 6 packets for phase 1 and 3 packets for phase2, no questions. I read RFC 2409 and found that it is expected behavior.
But SS 5.2.1 have the another one suddenly:
SS 5.2.1 <-> Router 1
12:42:48.280898 IP StrongSwan521.isakmp > Router1.isakmp: isakmp: phase 1 I ident
12:42:48.339787 IP Router1.isakmp > StrongSwan521.isakmp: isakmp: phase 1 R ident
12:42:48.341346 IP StrongSwan521.isakmp > Router1.isakmp: isakmp: phase 1 I ident
12:42:48.401882 IP Router1.isakmp > StrongSwan521.isakmp: isakmp: phase 1 R ident
12:42:48.403264 IP StrongSwan521.isakmp > Router1.isakmp: isakmp: phase 1 I ident[E]
12:42:48.462499 IP Router1.isakmp > StrongSwan521.isakmp: isakmp: phase 1 R ident[E]
12:42:48.463006 IP StrongSwan521.isakmp > Router1.isakmp: isakmp: phase 2/others I #6[E]
12:42:48.523154 IP Router1.isakmp > StrongSwan521.isakmp: isakmp: phase 2/others R #6[E]
12:42:48.524140 IP StrongSwan521.isakmp > Router1.isakmp: isakmp: phase 2/others I oakley-quick[E]
12:42:48.585046 IP Router1.isakmp > StrongSwan521.isakmp: isakmp: phase 2/others R oakley-quick[E]
12:42:48.586575 IP StrongSwan521.isakmp > Router1.isakmp: isakmp: phase 2/others I oakley-quick[E]
I found two strange additional packets before the standard quick mode packets for phase 2, initiation packet from SS and the answer packet from Router 1. I couldn’t recognize them. But tunnel is Ok because Router 1 is able to answer to this package. Well, but…
SS 5.2.1 <-> Router 2
13:23:56.200783 IP StrongSwan521.isakmp > Router2.isakmp: isakmp: phase 1 I ident
13:23:56.225261 IP Router2.isakmp > StrongSwan521.isakmp: isakmp: phase 1 R ident
13:23:56.226277 IP StrongSwan521.isakmp > Router2.isakmp: isakmp: phase 1 I ident
13:23:56.259911 IP Router2.isakmp > StrongSwan521.isakmp: isakmp: phase 1 R ident
13:23:56.260966 IP StrongSwan521.isakmp > Router2.isakmp: isakmp: phase 1 I ident[E]
13:23:56.296592 IP Router2.isakmp > StrongSwan521.isakmp: isakmp: phase 1 R ident[E]
13:23:56.296970 IP StrongSwan521.isakmp > Router2.isakmp: isakmp: phase 2/others I #6[E]
13:24:00.297122 IP StrongSwan521.isakmp > Router2.isakmp: isakmp: phase 2/others I #6[E]
etc…
It looks that Router 2 couldn’t recognize this package too, not me only… It simply doesn’t answer to it. Well, I suppose it is the reason why phase 2 couldn’t be established.
So, what the sense of these packages? How can I prevent them using ipsec.conf?
Current version of ipsec.conf
conn dtn-ovh
# rekeymargin=3m
# keyingtries=1
keyexchange=ikev1
type=tunnel
authby=secret
left=x.x.x.x
leftsourceip=q.q.q.q
leftsubnet=a.a.a.a/a
right=y.y.y.y
rightsubnet=c.c.c.c/c
ike=aes192-sha-modp1024
esp=aes192-sha-modp1024
dpdaction=restart
dpddelay=15s
ikelifetime=28800s
#pfs=yes
auto=start
conn paris-ovh2
# rekeymargin=3m
# keyingtries=1
keyexchange=ikev1
type=tunnel
authby=secret
left=x.x.x.x
leftsourceip=q.q.q.q
leftsubnet=b.b.b.b/b
right=z.z.z.z
rightsubnet=b.b.b.b/b
#rightauth=psk
ike=aes192-sha-modp1024
esp=aes192-sha1-modp1024
#esp=aes128-sha1-modp2048
dpdaction=restart
dpddelay=15s
ikelifetime=28800s
#pfs=yes
auto=start
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150712/7d55c2f2/attachment-0001.html>
More information about the Users
mailing list