[strongSwan] Problem with strongswan 5.x and Comware routers

Aleksey unite at openmailbox.org
Fri Sep 4 10:15:56 CEST 2015 

Hi guys!

I have run into an issue when using strongswan 5.2.1 and comware 5 
router (L2L VPN). Comware is an OS running on HP MSR routers, formerly 
H3C, also if I'm not mistaken Huawei routers are also using this OS 
(still as I've understood HP and Huawei develop it independently now).

So, I've seen such a behaviour in two different situations with HP MSR 
930 and HP MSR 30-40 routers. The problem is the following - tunnel 
initiates, everything is OK, traffic flows and then suddenly tunnel goes 
down. As I can see in logfiles, MSR router for some reason sends the 
"DELETE" to strongswan which then deletes the SA:

*Jan  6 23:53:28:506 2012 msr_router IKE/7/DEBUG:
IKE_DPD: isakmp sa name : 2.2.2.2,1.1.1.1,500,,0
*Jan  6 23:53:28:507 2012 msr_router IKE/7/DEBUG:
IKE_DPD: PF_KEY notify ipsec to update dpd recv_time.
*Jan  6 23:53:28:507 2012 msr_router IKE/7/DEBUG:
IKE_DPD: release ike dpd structure
*Jan  6 23:53:28:507 2012 msr_router IKE/7/DEBUG: exchange release: 
freeing exchange 91bd500
*Jan  6 23:53:38:610 2012 msr_router IKE/7/DEBUG: exchange setup(I): 
91bd500
*Jan  6 23:53:38:611 2012 msr_router IKE/7/DEBUG: add payload to 
message: HASH
*Jan  6 23:53:38:611 2012 msr_router IKE/7/DEBUG: send info message : 
delete isakmp sa
*Jan  6 23:53:38:611 2012 msr_router IKE/7/DEBUG: add payload to 
message: DELETE

Unfortunately I lost the full debug because had to do something with 
this problem as soon as possible. The solution is to revert to 
strongswan 4.5.2 (I guess to any 4.x would be fine). When using 4.5.2 it 
works like a charm - not a single disconnect.

Connection uses ikev1, configuration is the following on 5.2.1:

conn CONNECTION1
         ikelifetime=8h
         keylife=1h
         type=tunnel
         authby=secret
         left=1.1.1.1
         leftsubnet=172.24.54.0/24
         right=2.2.2.2
         rightsubnet=192.168.7.0/24
         dpdaction=hold
         dpddelay=30
         dpdtimeout=150
         ike=aes128-sha1-modp1024
         esp=aes128-sha1
         keyexchange=ikev1
         auto=start

On 4.5.2:

conn CONNECTION1
         ikelifetime=8h
         keylife=1h
         type=tunnel
         authby=secret
         left=1.1.1.1
         leftsubnet=172.24.54.0/24
         right=2.2.2.2
         rightsubnet=192.168.7.0/24
         dpdaction=hold
         dpddelay=30
         dpdtimeout=150
         ike=aes128-sha1-modp1024
         esp=aes128-sha1
         pfs=no
         keyexchange=ikev1
         auto=start

Debug taken on 5.2.1 is in the attachment. I have found a workaround so 
I practically don't need help to resolve the issue but still, but I 
guess there might be some issues with 5.x interoperability with Comware 
routers.


-- 
With kind regards,
Aleksey
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: charon_msr.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150904/5c773518/attachment-0001.txt>

More information about the Users mailing list