[strongSwan] IPsec XAuth reauth problems

Patrick Velder lists at velder.li
Sat Apr 30 05:06:12 CEST 2016 

Hi

I just set up StrongSwan as XAuth Client for my MikroTik RouterOS Server.
If the client connects, the connection will work for 5 minutes. Then the 
connection to the remote networks drops.

According to the log, there is a reauth:

> Apr 30 03:20:24 lenovo charon: 11[NET] received packet: from 
> 185.117.xx.xx[4500] to 192.168.251.75[4500] (324 bytes)
> Apr 30 03:20:24 lenovo charon: 11[ENC] parsed ID_PROT response 0 [ KE 
> No NAT-D NAT-D ]
> Apr 30 03:20:24 lenovo charon: 11[IKE] local host is behind NAT, 
> sending keep alives
> Apr 30 03:20:24 lenovo charon: 11[ENC] generating ID_PROT request 0 [ 
> ID HASH ]
> Apr 30 03:20:24 lenovo charon: 11[NET] sending packet: from 
> 192.168.251.75[4500] to 185.117.xx.xx[4500] (124 bytes)
> Apr 30 03:20:24 lenovo charon: 12[NET] received packet: from 
> 185.117.xx.xx[4500] to 192.168.251.75[4500] (124 bytes)
> Apr 30 03:20:24 lenovo charon: 12[ENC] parsed ID_PROT response 0 [ ID 
> HASH ]
> Apr 30 03:20:24 lenovo charon: 08[NET] received packet: from 
> 185.117.xx.xx[4500] to 192.168.251.75[4500] (124 bytes)
> Apr 30 03:20:24 lenovo charon: 08[ENC] parsed TRANSACTION request 
> 2192071535 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
> Apr 30 03:20:24 lenovo charon: 08[ENC] generating TRANSACTION response 
> 2192071535 [ HASH CPRP(X_USER X_PWD) ]
> Apr 30 03:20:24 lenovo charon: 08[NET] sending packet: from 
> 192.168.251.75[4500] to 185.117.xx.xx[4500] (140 bytes)
> Apr 30 03:20:24 lenovo charon: 04[NET] received packet: from 
> 185.117.xx.xx[4500] to 192.168.251.75[4500] (124 bytes)
> Apr 30 03:20:24 lenovo charon: 04[ENC] parsed TRANSACTION request 
> 3861230316 [ HASH CPS(X_STATUS) ]
> Apr 30 03:20:24 lenovo charon: 04[IKE] XAuth authentication of 
> 'patrick' (myself) successful
> Apr 30 03:20:24 lenovo charon: 04[IKE] IKE_SA ipsec-zrh1[3] 
> established between 192.168.251.75[patrick]...185.117.xx.xx[185.117.xx.xx]
> Apr 30 03:20:24 lenovo charon: 04[IKE] scheduling reauthentication in 163s
> Apr 30 03:20:24 lenovo charon: 04[IKE] maximum IKE_SA lifetime 703s
> Apr 30 03:20:24 lenovo charon: 04[ENC] generating TRANSACTION response 
> 3861230316 [ HASH CPA(X_STATUS) ]
> Apr 30 03:20:24 lenovo charon: 04[NET] sending packet: from 
> 192.168.251.75[4500] to 185.117.xx.xx[4500] (124 bytes)
> Apr 30 03:20:24 lenovo charon: 04[ENC] generating TRANSACTION request 
> 3405112023 [ HASH CPRQ(ADDR DNS) ]
> Apr 30 03:20:24 lenovo charon: 04[NET] sending packet: from 
> 192.168.251.75[4500] to 185.117.xx.xx[4500] (124 bytes)
> Apr 30 03:20:24 lenovo charon: 09[NET] received packet: from 
> 185.117.xx.xx[4500] to 192.168.251.75[4500] (124 bytes)
> Apr 30 03:20:24 lenovo charon: 09[ENC] parsed TRANSACTION response 
> 3405112023 [ HASH CPRP(ADDR) ]
> Apr 30 03:20:24 lenovo charon: 09[IKE] installing new virtual IP 
> 10.255.4.251
> Apr 30 03:20:25 lenovo charon: 07[IKE] sending DPD request
> Apr 30 03:20:27 lenovo charon: 10[IKE] sending keep alive to 
> 185.117.xx.xx[4500]
> Apr 30 03:20:34 lenovo charon: 11[NET] received packet: from 
> 185.117.xx.xx[4500] to 192.168.251.75[4500] (140 bytes)


Also the virtual IP has changed. The tunnel itself stays up, but 
according to setkey, the SA's / policy routes are not updated with the 
new Virtual IP. I think that's the reason why the connection is not 
working anymore (the connection does not come up again)


Client:

> conn ipsec-zrh1
>     fragmentation=yes
>     mobike=no
>     keyexchange=ikev1
>     left=%defaultroute
>     leftauth=psk
>     leftauth2=xauth
>     leftid=patrick
>     leftsourceip=%config
>     xauth_identity=patrick
>     right=185.117.xx.x
>     rightsubnet=10.64.136.0/22
>     rightauth=psk
>     auto=start
>     ike=aes256-sha512-modp1024!
>     esp=aes256-sha512-modp1024!
>     ikelifetime=1200s
>     lifetime=3600s
>     dpdaction=clear
>     dpddelay=10s
>     dpdtimeout=60s
>     aggressive=no

Version: 5.1.2 on xubuntu 14.04


Server:
>
> /ip ipsec mode-config
> add address-pool=vpn name=roadwarrior send-dns=no 
> split-include=10.64.136.0/22
> /ip ipsec policy group
> add name=roadwarrior
> /ip ipsec proposal
> set [ find default=yes ] auth-algorithms=sha512 
> enc-algorithms=aes-256-cbc lifetime=1h
> /ip ipsec policy
> add dst-address=10.64.136.0/22 group=roadwarrior 
> src-address=10.255.4.0/24 template=yes
> add dst-address=10.255.4.0/24 group=roadwarrior 
> src-address=10.64.136.0/22 template=yes
> /ip ipsec peer
> add address=0.0.0.0/0 auth-method=pre-shared-key-xauth 
> dpd-interval=10s enc-algorithm=aes-256 generate-policy=port-strict 
> hash-algorithm=sha512 lifetime=20m local-address=185.117.xx.xx 
> mode-config=roadwarrior passive=yes policy-template-group=roadwarrior 
> secret=asecret
> /ip ipsec user
> add name=patrick password=anything
> /ip pool
> add name=vpn ranges=10.255.4.2-10.255.4.254


RouterOS 6.34.4 on CCR1009-8G-1S-1S+


Any Ideas what the reason is and how I can stop the IP address 
change/disconnection? :-)

Thanks and best regards
Patrick

More information about the Users mailing list